diff --git a/apparmor.d/profiles-m-r/pulseaudio b/apparmor.d/profiles-m-r/pulseaudio index b86869c2..7f28d354 100644 --- a/apparmor.d/profiles-m-r/pulseaudio +++ b/apparmor.d/profiles-m-r/pulseaudio @@ -12,6 +12,8 @@ profile pulseaudio @{exec_path} { include include include + include + include include include @@ -29,7 +31,7 @@ profile pulseaudio @{exec_path} { @{exec_path} mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, - /{usr/,}lib/pulse/gsettings-helper mrix, + /{usr/,}lib{exec,}/pulse/gsettings-helper mrix, # PulseAudio files /usr/share/pulseaudio/{,**} r, @@ -43,7 +45,7 @@ profile pulseaudio @{exec_path} { owner @{HOME}/.Xauthority r, # Needed when PulseAudio is started via gdm - owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, owner @{HOME}/.ICEauthority r, @@ -51,7 +53,8 @@ profile pulseaudio @{exec_path} { /etc/hosts.{allow,deny} r, owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/pulse/{,*} rw, + owner @{run}/user/@{uid}/pulse/{,*} rw, + owner @{run}/user/@{uid}/pulse/*.lock k, /usr/share/applications/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -67,17 +70,72 @@ profile pulseaudio @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, + deny @{sys}/module/apparmor/parameters/enabled r, @{run}/systemd/users/@{uid} r, - @{run}/user/@{uid}/ICEauthority r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/ICEauthority r, + owner @{run}/user/@{uid}/systemd/notify rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/stat r, + + # DBus + dbus (send) + bus=session + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus (receive) + bus=session + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName,ReleaseName} + peer=(name=:*), + + dbus (receive) + bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus (bind) + bus=session + name=org.freedesktop.ReserveDevice[0-9].Audio[0-9], + + dbus (bind) + bus=session + name=org.PulseAudio[0-9], + + dbus (bind) + bus=session + name=org.pulseaudio*, + + dbus (send) + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus), + + dbus (send) + bus=system + path=/org/freedesktop/RealtimeKit[0-9] + member={Get,MakeThreadHighPriority,MakeThreadRealtime} + peer=(name=org.freedesktop.RealtimeKit[0-9]), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.bluez), + + unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), + unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. @@ -86,7 +144,9 @@ profile pulseaudio @{exec_path} { #owner /tmp/orcexec.* mrw, # For GDM - /var/lib/gdm/.config/pulse/ rw, + owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, + owner /var/lib/gdm{[1-9],}/.config/pulse/cookie k, + owner /var/lib/gdm{[1-9],}/.config/dconf/user r, # For SDDM owner /var/lib/sddm/.config/pulse/ rw, @@ -95,9 +155,17 @@ profile pulseaudio @{exec_path} { owner /var/lib/sddm/.config/pulse/*-card-database.tdb rw, owner /var/lib/sddm/.config/pulse/cookie rwk, + # For lightdm + owner /var/lib/lightdm/.config/pulse/{,**} rw, + owner /var/lib/lightdm/.config/pulse/cookie k, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + # Snap + /var/lib/snapd/desktop/applications/ r, + /usr/{local/,}share/ubuntu/applications/{,*} r, + include if exists }