feat(profile): add all major xfce profiles.

apparmor.d/groups/xfce/startxfce

@@ -14,8 +14,10 @@ profile startxfce @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sh_path}  rix,
+  @{sh_path}    rix,
-  @{bin}/cat  rix,
+  @{bin}/cat    rix,
+  @{bin}/mkdir  rix,
+  @{bin}/id     rix,
 
   @{bin}/xfce4-session                       rPx,
   @{bin}/xrdb                                rPx,

apparmor.d/groups/xfce/thunar

@@ -0,0 +1,50 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/thunar
+profile thunar @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/deny-sensitive-home>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/trash-strict>
+  include <abstractions/xfce>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/thunar-volman rPx,
+  @{open_path} rPx -> child-open,
+
+  /etc/fstab r,
+  /etc/timezone r,
+
+  # Full access to user's data
+  / r,
+  /*/ r,
+  @{bin}/ r,
+  @{lib}/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/** rw,
+  owner @{HOME}/{,**} rw,
+  owner @{run}/user/@{uid}/{,**} rw,
+  owner /tmp/{,**} rw,
+
+  # Silence non user's data
+  deny /boot/{,**} r,
+  deny /opt/{,**} r,
+  deny /root/{,**} r,
+  deny /tmp/.* rw,
+  deny /tmp/.*/{,**} rw,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  include if exists <local/thunar>
+}

apparmor.d/groups/xfce/thunar-volman

@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/thunar-volman
+profile thunar-volman @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/xfce>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/fstab r,
+
+  @{sys}/devices/virtual/input/input@{int}/{,**/}uevent r,
+
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  include if exists <local/thunar-volman>
+}

apparmor.d/groups/xfce/tumblerd

@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd
+profile tumblerd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-write>
+
+  @{exec_path} mr,
+
+  /usr/share/backgrounds/xfce/{,**} r,
+  /usr/share/thumbnailers/{,**} r,
+
+  /etc/fstab r,
+  /etc/xdg/tumbler/* r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  /dev/ r,
+
+  include if exists <local/tumblerd>
+}

apparmor.d/groups/xfce/xfce-appfinder

@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfce4-appfinder
+profile xfce-appfinder @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  /usr/share/desktop-directories/{,**} r,
+
+  /etc/xdg/menus/{,**} r,
+
+  owner @{user_cache_dirs}/xfce4/appfinder/{,**} rw,
+
+  include if exists <local/xfce-appfinder>
+}

apparmor.d/groups/xfce/xfce-clipman-settings

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfce4-clipman-settings
+profile xfce-clipman-settings @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r,
+
+  owner @{user_config_dirs}/xfce4/panel/xfce4-clipman-actions.xml rw,
+
+  include if exists <local/xfce-clipman-settings>
+}

apparmor.d/groups/xfce/xfce-mime-helper

@@ -0,0 +1,17 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfce-mime-helper
+profile xfce-mime-helper @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  include if exists <local/xfce-mime-helper>
+}

apparmor.d/groups/xfce/xfce-panel

@@ -0,0 +1,55 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0
+profile xfce-panel @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
+  include <abstractions/audio-client>
+  include <abstractions/dconf-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  @{bin}/exo-open                                     rix,
+  @{bin}/xfce4-mime-helper                            rix,
+  @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0      rix,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rix,
+  @{lib}/gio-launch-desktop                           rix,
+
+  @{bin}/sudo                                         rCx -> root,
+
+  /usr/share/desktop-directories/{,**} r,
+  /usr/share/livecheck/** r,
+  /usr/share/xfce4/{,**} r,
+
+  /etc/fstab r,
+  /etc/machine-id r,
+  /etc/timezone r,
+  /etc/xdg/menus/{,**} r,
+  /etc/xdg/xfce4/{,**} r,
+
+  owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw,
+  owner @{user_config_dirs}/xfce4/panel/{,**} rw,
+
+        @{PROC}/cmdline r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  profile root {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    @{bin}/lsblk rPx,
+
+    include if exists <local/xfce-panel-wrapper_root>
+  }
+
+  include if exists <local/xfce-panel>
+}

apparmor.d/groups/xfce/xfce-power-manager

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfce4-power-manager
+profile xfce-power-manager @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/xfce>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{bin}/xfpm-power-backlight-helper rPx,
+
+  /etc/xdg/autostart/xfce4-power-manager.desktop r,
+
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/stat r,
+
+  @{run}/systemd/inhibit/*.ref rw,
+
+  include if exists <local/xfce-power-manager>
+}

apparmor.d/groups/xfce/xfce-screensaver

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfce4-screensaver
+profile xfce-screensaver @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/graphics>
+  include <abstractions/xfce>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{sh_path}    rix,
+  @{bin}/pidof  rix,
+  @{bin}/wc     rix,
+
+  @{lib}/xfce4-screensaver-dialog rix,
+  @{lib}/xfce4-screensaver-gl-helper rix,
+
+  /etc/xdg/menus/xfce4-screensavers.menu r,
+
+  @{run}/systemd/inhibit/*.ref rw,
+
+  include if exists <local/xfce-screensaver>
+}

apparmor.d/groups/xfce/xfdesktop

@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfdesktop
+profile xfdesktop @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
+  include <abstractions/nameservice-strict>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  @{bin}/xfce4-mime-helper rix,
+
+  /usr/share/backgrounds/xfce/{,**} r,
+
+  /etc/fstab r,
+
+  owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
+
+  owner @{user_config_dirs}/Thunar/{,**} rw,
+  owner @{user_config_dirs}/xfce4/desktop/{,**} rw,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  deny @{user_share_dirs}/gvfs-metadata/{,*} r,
+
+  include if exists <local/xfdesktop>
+}

apparmor.d/groups/xfce/xfpm-power-backlight-helper

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfpm-power-backlight-helper
+profile xfpm-power-backlight-helper @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  owner @{HOME}/.xsession-errors w,
+
+  @{sys}/class/backlight/ r,
+  @{sys}/class/leds/ r,
+  @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r,
+  @{sys}/devices/@{pci}/backlight/**/{uevent,type} r,
+  @{sys}/devices/@{pci}/backlight/**/brightness rw,
+  @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r,
+  @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r,
+  @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw,
+  @{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw,
+  @{sys}/devices/@{pci}/intel_backlight/type r,
+
+  include if exists <local/xfpm-power-backlight-helper>
+}

apparmor.d/groups/xfce/xfsettingsd

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfsettingsd
+profile xfsettingsd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  /etc/xdg/autostart/xfsettingsd.desktop r,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/xfsettingsd>
+}

apparmor.d/groups/xfce/xfwm

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xfwm4
+profile xfwm @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/fontconfig-cache-write>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+  include <abstractions/xfce>
+
+  @{exec_path} mr,
+
+  /usr/share/xfwm4/{,**} r,
+
+  /etc/machine-id r,
+
+  include if exists <local/xfwm>
+}