mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(profiles): fix slow startup of gnome

Browse source 
at-spi-bus-launcher  starts the accessibility bus.
We need to ensure all buses are initally started by the same profile,
otherwise  the accessibility fail to start.

See #74, #80 & #235
This commit is contained in:
Alexandre Pujol 2023-11-13 22:59:10 +00:00
parent a66debd2fb
commit e99f7de703
Failed to generate hash of commit
2 changed files with 37 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
apparmor.d/groups/bus/dbus-daemon
View file

@ -14,6 +14,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/dbus-accessibility> include <abstractions/dbus-accessibility>
include <abstractions/dbus-session> include <abstractions/dbus-session>
include <abstractions/dbus> include <abstractions/dbus>
include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability audit_write, capability audit_write,
@ -41,7 +42,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{bin}/ r, @{bin}/ r,
@{bin}/[a-z0-9]* rPUx, @{bin}/[a-z0-9]* rPUx,
@{lib}/{,at-spi2{,-core}/}at-spi2-registryd rPx, @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235
@{lib}/@{multiarch}/tumbler-1/tumblerd rPUx, @{lib}/@{multiarch}/tumbler-1/tumblerd rPUx,
@{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
@{lib}/* rPUx, @{lib}/* rPUx,
@ -64,11 +65,16 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
/etc/dbus-1/{,**} r, /etc/dbus-1/{,**} r,
/usr/share/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r,
/usr/share/dconf/profile/gdm r,
/usr/share/defaults/**.conf r, /usr/share/defaults/**.conf r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Extra rules for GDM # Extra rules for GDM
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.local/share/icc/ r, /var/lib/gdm{3,}/.local/share/icc/ r,
/var/lib/gdm{3,}/.local/share/icc/edid-*.icc r, /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
# Extra rules for Flatpak # Extra rules for Flatpak
@{system_share_dirs}/dbus-1/{,**} r, @{system_share_dirs}/dbus-1/{,**} r,
@ -87,6 +93,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/ rw,
owner @{run}/user/@{uid}/dbus-1/services/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify w,
@{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/.access rw,
@ -94,6 +101,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/oom_score_adj rw,

53
apparmor.d/groups/freedesktop/at-spi-bus-launcher
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2022 Mikhail Morfikov # Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,52 +10,55 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dbus-accessibility>
include <abstractions/dbus-session> include <abstractions/dbus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/X-strict>
network inet stream, # TODO: local only
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=gdm*, signal (receive) set=(term hup kill) peer=gdm*,
signal (receive) set=(term hup kill) peer=gnome-session-binary, signal (receive) set=(term hup kill) peer=gnome-session-binary,
signal (send) set=(term hup kill) peer=dbus-daemon,
unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{bin}/dbus-daemon rPx,
@{bin}/dbus-broker-launch rPUx, @{bin}/dbus-broker-launch rPUx,
@{bin}/dbus-daemon rix,
@{lib}/at-spi2-registryd rPx,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/dbus-1/accessibility-services/ r,
/usr/share/dbus-1/accessibility-services/org.a11y.atspi.Registry.service r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/defaults/at-spi2/accessibility.conf r,
/usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.xsession-errors w,
owner /tmp/runtime-*/xauth_@{rand6} r,
owner /tmp/xauth_@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/xauth_@{rand6} r,
/var/lib/lightdm/.Xauthority r,
/var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/lightdm/.Xauthority r,
/var/log/lightdm/seat[0-9]*-greeter.log w, /var/log/lightdm/seat[0-9]*-greeter.log w,
@{run}/systemd/users/@{uid} r,
@{sys}/kernel/security/apparmor/.access rw,
@{sys}/kernel/security/apparmor/features/dbus/mask r,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/oom_score_adj r,
@{PROC}/@{pids}/mounts r,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/attr/apparmor/current r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@{PROC}/1/cgroup r,
owner /dev/tty@{int} rw, # file_inherit owner /dev/tty@{int} rw,
include if exists <local/at-spi-bus-launcher> include if exists <local/at-spi-bus-launcher>
} }