From e658d1c4d37ac0d8358104b7e59d8bf42ab43ec7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Mar 2024 00:22:30 +0000 Subject: [PATCH] feat(profile): restrict access to /var/lib/gdm in gnome-shell. --- apparmor.d/groups/gnome/gnome-shell | 48 ++++++++++++++--------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 194bd3ab..068498b1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -244,36 +244,36 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/udev/hwdb.bin r, /etc/xdg/menus/gnome-applications.menu r, - /var/lib/gdm{3,}/.cache/ w, - /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.@{multiarch} rwk, - /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, - /var/lib/gdm{3,}/.cache/gstreamer-@{int}/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, - /var/lib/gdm{3,}/.cache/libgweather/ r, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/.config/ibus/ rw, - /var/lib/gdm{3,}/.config/ibus/bus/ rw, - /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - /var/lib/gdm{3,}/.config/pulse/ rw, - /var/lib/gdm{3,}/.config/pulse/client.conf r, - /var/lib/gdm{3,}/.config/pulse/cookie rwk, - /var/lib/gdm{3,}/.local/share/applications/{,**} r, - /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw, - /var/lib/gdm{3,}/.local/share/icc/{,*} rw, - - /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/AccountsService/icons/* r, /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r, + owner /var/lib/gdm{3,}/.cache/ w, + owner /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.@{multiarch} rwk, + owner /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, + owner /var/lib/gdm{3,}/.cache/gstreamer-@{int}/ rw, + owner /var/lib/gdm{3,}/.cache/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, + owner /var/lib/gdm{3,}/.cache/ibus/dbus-@{rand8} rw, + owner /var/lib/gdm{3,}/.cache/libgweather/ r, + owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, + owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw, + owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, + owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, + owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + owner /var/lib/gdm{3,}/.config/dconf/user r, + owner /var/lib/gdm{3,}/.config/ibus/ rw, + owner /var/lib/gdm{3,}/.config/ibus/bus/ rw, + owner /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner /var/lib/gdm{3,}/.config/pulse/ rw, + owner /var/lib/gdm{3,}/.config/pulse/client.conf r, + owner /var/lib/gdm{3,}/.config/pulse/cookie rwk, + owner /var/lib/gdm{3,}/.local/share/applications/{,**} r, + owner /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw, + owner /var/lib/gdm{3,}/.local/share/icc/{,*} rw, + owner /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**/ r,