diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 7974cd6f..fb1309a2 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/evolution-data-server/evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include include include @@ -16,10 +17,10 @@ profile evolution-alarm-notify @{exec_path} { include @{exec_path} mr, - + + /usr/share/evolution-data-server/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index e2a6c608..297f3559 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -18,6 +18,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_nice, + network netlink raw, + ptrace (read) peer=unconfined, signal (send) set=(term), @@ -45,7 +47,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/[0-9]*.ref r, @{run}/systemd/userdb/ r, @{run}/systemd/users/@{uid} r, + @{run}/udev/tags/master-of-seat/ r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 9900d989..abec60de 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -43,22 +44,21 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, + @{sys}/devices/pci[0-9]*/**/revision r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, /dev/ r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 35789c25..2b61e831 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -9,7 +9,9 @@ include @{exec_path} = /{usr/,}lib/gnome-calculator-search-provider profile gnome-calculator-search-provider @{exec_path} { include + include include + include signal (send) set=kill peer=unconfined, @@ -19,14 +21,13 @@ profile gnome-calculator-search-provider @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, /usr/share/icons/{,**} r, - - include + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{PROC}/@{pids}/cmdline r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 78352bfb..43801fa1 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -9,12 +9,14 @@ include @{exec_path} = /{usr/,}bin/gnome-calendar profile gnome-calendar @{exec_path} { include + include include include include include include include + include network netlink raw, @@ -23,10 +25,8 @@ profile gnome-calendar @{exec_path} { /usr/share/libgweather/Locations.xml r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1df277f8..62ee3d0c 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -14,6 +14,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -61,7 +62,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, @@ -82,6 +82,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/ r, @{run}/systemd/sessions/[0-9]* r, + @{run}/udev/data/+dmi:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci* r, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @@ -115,7 +116,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/*/comm rw, @{PROC}/cmdline r, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, @{PROC}/zoneinfo r, /dev/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 8ad64ae0..beaf1999 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -13,6 +13,7 @@ profile gnome-control-center-print-renderer @{exec_path} { include include include + include include @{exec_path} mr, @@ -28,7 +29,6 @@ profile gnome-control-center-print-renderer @{exec_path} { /var/lib/flatpak/exports/share/icons/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, @@ -44,7 +44,6 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 938813ff..ca0d2141 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -9,18 +9,18 @@ include @{exec_path} = /{usr/,}lib/gnome-control-center-search-provider profile gnome-control-center-search-provider @{exec_path} { include + include include include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0b27b6f7..db59b51a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,6 +11,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -43,8 +44,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{libexec}/* rPUx, /usr/share/backgrounds/{,**} r, + /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, /usr/share/egl/{,**} r, + /usr/share/evolution-data-server/icons/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -64,6 +67,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/ibus/ rw, /var/lib/gdm/.config/ibus/bus/ rw, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, @@ -73,6 +77,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.local/share/applications/{,**} r, /var/lib/gdm/.local/share/gnome-shell/ rw, + /var/lib/flatpak/app/**/gnome-shell/{,**} r, + /var/lib/flatpak/exports/share/gnome-shell/{,**} r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -96,23 +103,21 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, - /var/lib/gdm/.config/dconf/user r, - - owner @{run}/user/@{uid}/gnome-shell/{,**} rw, - owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, - owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, + owner @{run}/user/@{uid}/gnome-shell/{,**} rw, + owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, - /var/lib/flatpak/app/**/gnome-shell/{,**} r, - /var/lib/flatpak/exports/share/gnome-shell/{,**} r, + owner /tmp/.X[0-9]-lock rw, + owner /tmp/[0-9A-Z]*.shell-extension.zip rw, + owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, + /tmp/.X11-unix/X[0-9] rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat[0-9]* r, @@ -172,13 +177,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, /dev/input/event[0-9]* rw, - - owner /tmp/.X[0-9]-lock rw, - owner /tmp/[0-9A-Z]*.shell-extension.zip rw, - owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, - /tmp/.X11-unix/X[0-9] rw, - - # file_inherit /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index e24e8324..09c811c2 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -10,6 +10,7 @@ include profile gnome-tweaks @{exec_path} { include include + include include include @@ -19,17 +20,21 @@ profile gnome-tweaks @{exec_path} { /{usr/,}bin/ps rPx, /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{*/,**/}__pycache__/*pyc* w, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-tweaks/{,**} r, /etc/xdg/autostart/{,**} r, + owner @{user_cache_dirs}/thumbnails/{,**} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, + owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/recently-used.xbel* rw, owner @{user_share_dirs}/sounds/ r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 682d6e13..c6c371c8 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,20 +18,21 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, + /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm/.config/.gsd-keyboard.settings-ported* rw, + + owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, - /var/lib/gdm/.config/dconf/user r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index b02881df..2ab11410 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -9,23 +9,26 @@ include @{exec_path} = /{usr/,}lib/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=(term, hup) peer=gdm*, @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/machine-id r, + /var/lib/gdm/.local/share/sounds/ rw, + /var/lib/gdm/.config/dconf/user r, owner @{user_share_dirs}/sounds/ rw, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, - /var/lib/gdm/.config/dconf/user r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index d21fea03..accbc496 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include @@ -25,26 +26,26 @@ profile gsd-xsettings @{exec_path} { @{exec_path} mr, - /{usr/,}bin/busctl rPx, - /{usr/,}bin/pactl rPx, - /{usr/,}bin/xrdb rPx, + /{usr/,}bin/busctl rPx, + /{usr/,}bin/pactl rPx, + /{usr/,}bin/xrdb rPx, + /{usr/,}lib/ibus/ibus-x11 rPx, + /usr/share/dconf/profile/gdm r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gdm/greeter-dconf-defaults r, /etc/xdg/Xwayland-session.d/ r, /etc/xdg/Xwayland-session.d/* rix, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, - - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, /var/lib/gdm/.config/dconf/user r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{user_cache_dirs}/mesa_shader_cache/index rw, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{PROC}/@{pid}/fd/ r,