From f4a66a3b8ef6a6f346fcd359e22c07e99769bd4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 5 Apr 2024 23:32:00 +0100 Subject: [PATCH] feat(profile): add all major xfce profiles. --- apparmor.d/groups/xfce/startxfce | 6 +- apparmor.d/groups/xfce/thunar | 50 +++++++++++++++++ apparmor.d/groups/xfce/thunar-volman | 29 ++++++++++ apparmor.d/groups/xfce/tumblerd | 29 ++++++++++ apparmor.d/groups/xfce/xfce-appfinder | 24 ++++++++ apparmor.d/groups/xfce/xfce-clipman-settings | 21 +++++++ apparmor.d/groups/xfce/xfce-mime-helper | 17 ++++++ apparmor.d/groups/xfce/xfce-panel | 55 +++++++++++++++++++ apparmor.d/groups/xfce/xfce-power-manager | 27 +++++++++ apparmor.d/groups/xfce/xfce-screensaver | 31 +++++++++++ apparmor.d/groups/xfce/xfdesktop | 34 ++++++++++++ .../groups/xfce/xfpm-power-backlight-helper | 30 ++++++++++ apparmor.d/groups/xfce/xfsettingsd | 22 ++++++++ apparmor.d/groups/xfce/xfwm | 25 +++++++++ 14 files changed, 398 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/xfce/thunar create mode 100644 apparmor.d/groups/xfce/thunar-volman create mode 100644 apparmor.d/groups/xfce/tumblerd create mode 100644 apparmor.d/groups/xfce/xfce-appfinder create mode 100644 apparmor.d/groups/xfce/xfce-clipman-settings create mode 100644 apparmor.d/groups/xfce/xfce-mime-helper create mode 100644 apparmor.d/groups/xfce/xfce-panel create mode 100644 apparmor.d/groups/xfce/xfce-power-manager create mode 100644 apparmor.d/groups/xfce/xfce-screensaver create mode 100644 apparmor.d/groups/xfce/xfdesktop create mode 100644 apparmor.d/groups/xfce/xfpm-power-backlight-helper create mode 100644 apparmor.d/groups/xfce/xfsettingsd create mode 100644 apparmor.d/groups/xfce/xfwm diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 8fd6a254..19bc3559 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -14,8 +14,10 @@ profile startxfce @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat rix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/mkdir rix, + @{bin}/id rix, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar new file mode 100644 index 00000000..d8c4920f --- /dev/null +++ b/apparmor.d/groups/xfce/thunar @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/thunar +profile thunar @{exec_path} { + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/thunar-volman rPx, + @{open_path} rPx -> child-open, + + /etc/fstab r, + /etc/timezone r, + + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rw, + owner /tmp/{,**} rw, + + # Silence non user's data + deny /boot/{,**} r, + deny /opt/{,**} r, + deny /root/{,**} r, + deny /tmp/.* rw, + deny /tmp/.*/{,**} rw, + + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman new file mode 100644 index 00000000..e86c238d --- /dev/null +++ b/apparmor.d/groups/xfce/thunar-volman @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/thunar-volman +profile thunar-volman @{exec_path} { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /etc/fstab r, + + @{sys}/devices/virtual/input/input@{int}/{,**/}uevent r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd new file mode 100644 index 00000000..0276fdbe --- /dev/null +++ b/apparmor.d/groups/xfce/tumblerd @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd +profile tumblerd @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /usr/share/backgrounds/xfce/{,**} r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/tumbler/* r, + + owner @{PROC}/@{pid}/mountinfo r, + + /dev/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-appfinder b/apparmor.d/groups/xfce/xfce-appfinder new file mode 100644 index 00000000..ab40b518 --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-appfinder @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-appfinder +profile xfce-appfinder @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/{,**} r, + + owner @{user_cache_dirs}/xfce4/appfinder/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings new file mode 100644 index 00000000..4f1a2485 --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman-settings +profile xfce-clipman-settings @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_config_dirs}/xfce4/panel/xfce4-clipman-actions.xml rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-mime-helper b/apparmor.d/groups/xfce/xfce-mime-helper new file mode 100644 index 00000000..e151ddd7 --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-mime-helper @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce-mime-helper +profile xfce-mime-helper @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel new file mode 100644 index 00000000..368257d8 --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-panel @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 +profile xfce-panel @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/exo-open rix, + @{bin}/xfce4-mime-helper rix, + @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, + @{lib}/gio-launch-desktop rix, + + @{bin}/sudo rCx -> root, + + /usr/share/desktop-directories/{,**} r, + /usr/share/livecheck/** r, + /usr/share/xfce4/{,**} r, + + /etc/fstab r, + /etc/machine-id r, + /etc/timezone r, + /etc/xdg/menus/{,**} r, + /etc/xdg/xfce4/{,**} r, + + owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, + owner @{user_config_dirs}/xfce4/panel/{,**} rw, + + @{PROC}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + + profile root { + include + include + + @{bin}/lsblk rPx, + + include if exists + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager new file mode 100644 index 00000000..0dce5ee1 --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-power-manager +profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + @{bin}/xfpm-power-backlight-helper rPx, + + /etc/xdg/autostart/xfce4-power-manager.desktop r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, + + @{run}/systemd/inhibit/*.ref rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver new file mode 100644 index 00000000..3f6724d0 --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-screensaver +profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/pidof rix, + @{bin}/wc rix, + + @{lib}/xfce4-screensaver-dialog rix, + @{lib}/xfce4-screensaver-gl-helper rix, + + /etc/xdg/menus/xfce4-screensavers.menu r, + + @{run}/systemd/inhibit/*.ref rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop new file mode 100644 index 00000000..85c963ea --- /dev/null +++ b/apparmor.d/groups/xfce/xfdesktop @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfdesktop +profile xfdesktop @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{bin}/xfce4-mime-helper rix, + + /usr/share/backgrounds/xfce/{,**} r, + + /etc/fstab r, + + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + + owner @{user_config_dirs}/Thunar/{,**} rw, + owner @{user_config_dirs}/xfce4/desktop/{,**} rw, + + owner @{PROC}/@{pid}/mountinfo r, + + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfpm-power-backlight-helper b/apparmor.d/groups/xfce/xfpm-power-backlight-helper new file mode 100644 index 00000000..4ee8ce1e --- /dev/null +++ b/apparmor.d/groups/xfce/xfpm-power-backlight-helper @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfpm-power-backlight-helper +profile xfpm-power-backlight-helper @{exec_path} { + include + include + + @{exec_path} mr, + + owner @{HOME}/.xsession-errors w, + + @{sys}/class/backlight/ r, + @{sys}/class/leds/ r, + @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw, + @{sys}/devices/@{pci}/intel_backlight/type r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd new file mode 100644 index 00000000..f2e61e20 --- /dev/null +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfsettingsd +profile xfsettingsd @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/xdg/autostart/xfsettingsd.desktop r, + + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm new file mode 100644 index 00000000..ffe99304 --- /dev/null +++ b/apparmor.d/groups/xfce/xfwm @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfwm4 +profile xfwm @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/xfwm4/{,**} r, + + /etc/machine-id r, + + include if exists +} \ No newline at end of file