mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
feat: support for gnome 42.
This commit is contained in:
Alexandre Pujol
parent
57df9ee898
commit
ef9c451559
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}lib/evolution-data-server/evolution-alarm-notify
|
||||
profile evolution-alarm-notify @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/nameservice-strict>
|
||||
@ -17,9 +18,9 @@ profile evolution-alarm-notify @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/evolution-data-server/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
||||
@ -18,6 +18,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
||||
capability net_admin,
|
||||
capability sys_nice,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
signal (send) set=(term),
|
||||
@ -45,7 +47,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
||||
@{run}/systemd/sessions/[0-9]*.ref r,
|
||||
@{run}/systemd/userdb/ r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/udev/tags/master-of-seat/ r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/boot_vga r,
|
||||
@{sys}/devices/virtual/tty/tty[0-9]*/active r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}bin/gjs-console
|
||||
profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
@ -43,22 +44,21 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
@{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
|
||||
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
|
||||
@{sys}/devices/pci[0-9]*/**/revision r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/tty rw,
|
||||
|
||||
@ -9,7 +9,9 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}lib/gnome-calculator-search-provider
|
||||
profile gnome-calculator-search-provider @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
|
||||
signal (send) set=kill peer=unconfined,
|
||||
|
||||
@ -20,13 +22,12 @@ profile gnome-calculator-search-provider @{exec_path} {
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
/usr/share/icons/{,**} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{PROC}/@{pids}/cmdline r,
|
||||
|
||||
include if exists <local/gnome-calculator-search-provider>
|
||||
}
|
||||
|
||||
@ -9,12 +9,14 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}bin/gnome-calendar
|
||||
profile gnome-calendar @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@ -23,10 +25,8 @@ profile gnome-calendar @{exec_path} {
|
||||
/usr/share/libgweather/Locations.xml r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
include if exists <local/gnome-calendar>
|
||||
|
||||
@ -14,6 +14,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
@ -61,7 +62,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{HOME}/.cat_installer/ca.pem r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
|
||||
@ -82,6 +82,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
@{run}/systemd/sessions/ r,
|
||||
@{run}/systemd/sessions/[0-9]* r,
|
||||
|
||||
@{run}/udev/data/+dmi:* r,
|
||||
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/+pci* r,
|
||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||
@ -115,7 +116,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{PROC}/@{pid}/statm r,
|
||||
owner @{PROC}/@{pid}/task/*/comm rw,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
@{PROC}/zoneinfo r,
|
||||
|
||||
/dev/ r,
|
||||
|
||||
@ -13,6 +13,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/opencl-nvidia>
|
||||
|
||||
@{exec_path} mr,
|
||||
@ -28,7 +29,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
@ -44,7 +44,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
|
||||
include if exists <local/gnome-control-center-print-renderer>
|
||||
}
|
||||
|
||||
@ -9,18 +9,18 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}lib/gnome-control-center-search-provider
|
||||
profile gnome-control-center-search-provider @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
include if exists <local/gnome-control-center-search-provider>
|
||||
|
||||
@ -11,6 +11,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
@ -43,8 +44,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
@{libexec}/* rPUx,
|
||||
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/desktop-directories/{,*.directory} r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/evolution-data-server/icons/{,**} r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gdm/greeter/applications/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
@ -64,6 +67,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
/var/lib/gdm/.config/ibus/ rw,
|
||||
/var/lib/gdm/.config/ibus/bus/ rw,
|
||||
/var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
|
||||
@ -73,6 +77,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
/var/lib/gdm/.local/share/applications/{,**} r,
|
||||
/var/lib/gdm/.local/share/gnome-shell/ rw,
|
||||
|
||||
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
||||
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
||||
|
||||
owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
|
||||
owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
@ -96,23 +103,21 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_cache_dirs}/media-art/{,**} r,
|
||||
owner @{user_cache_dirs}/vlc/**/*.jpg r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
|
||||
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
owner /dev/shm/.org.chromium.Chromium.* rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||
|
||||
/var/lib/flatpak/app/**/gnome-shell/{,**} r,
|
||||
/var/lib/flatpak/exports/share/gnome-shell/{,**} r,
|
||||
owner /tmp/.X[0-9]-lock rw,
|
||||
owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
|
||||
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
|
||||
/tmp/.X11-unix/X[0-9] rw,
|
||||
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/systemd/seats/seat[0-9]* r,
|
||||
@ -172,13 +177,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
/dev/input/event[0-9]* rw,
|
||||
|
||||
owner /tmp/.X[0-9]-lock rw,
|
||||
owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
|
||||
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
|
||||
/tmp/.X11-unix/X[0-9] rw,
|
||||
|
||||
# file_inherit
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/gnome-shell>
|
||||
|
||||
@ -10,6 +10,7 @@ include <tunables/global>
|
||||
profile gnome-tweaks @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/python>
|
||||
|
||||
@ -19,17 +20,21 @@ profile gnome-tweaks @{exec_path} {
|
||||
/{usr/,}bin/ps rPx,
|
||||
/{usr/,}bin/python3.[0-9]* rix,
|
||||
|
||||
/{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{*/,**/}__pycache__/*pyc* w,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gnome-tweaks/{,**} r,
|
||||
|
||||
/etc/xdg/autostart/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/thumbnails/{,**} r,
|
||||
owner @{user_config_dirs}/autostart/{,*.desktop} r,
|
||||
owner @{user_share_dirs}/backgrounds/{,**} r,
|
||||
owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
|
||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
owner @{user_share_dirs}/recently-used.xbel* rw,
|
||||
owner @{user_share_dirs}/sounds/ r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
|
||||
|
||||
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}lib/gsd-keyboard
|
||||
profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/gtk>
|
||||
@ -17,20 +18,21 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
/var/lib/gdm/.config/.gsd-keyboard.settings-ported* rw,
|
||||
|
||||
owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
|
||||
owner @{user_share_dirs}/gnome-settings-daemon/ rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
||||
@ -9,23 +9,26 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}lib/gsd-sound
|
||||
profile gsd-sound @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
/var/lib/gdm/.local/share/sounds/ rw,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner @{user_share_dirs}/sounds/ rw,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
||||
@ -9,6 +9,7 @@ include <tunables/global>
|
||||
@{exec_path} = /{usr/,}lib/gsd-xsettings
|
||||
profile gsd-xsettings @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
@ -28,23 +29,23 @@ profile gsd-xsettings @{exec_path} {
|
||||
/{usr/,}bin/busctl rPx,
|
||||
/{usr/,}bin/pactl rPx,
|
||||
/{usr/,}bin/xrdb rPx,
|
||||
/{usr/,}lib/ibus/ibus-x11 rPx,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
|
||||
/etc/xdg/Xwayland-session.d/ r,
|
||||
/etc/xdg/Xwayland-session.d/* rix,
|
||||
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
|
||||
include <abstractions/dconf>
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/var/lib/gdm/.config/dconf/user r,
|
||||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
||||
|
||||
owner @{run}/user/@{uid}/dconf/ rw,
|
||||
owner @{run}/user/@{uid}/dconf/user rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user