diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-session similarity index 83% rename from apparmor.d/groups/gnome/gdm-wayland-session rename to apparmor.d/groups/gnome/gdm-session index 50efa58d..42133675 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -6,10 +6,11 @@ abi , include -@{exec_path} = @{lib}/{,gdm/}gdm-wayland-session -profile gdm-wayland-session @{exec_path} { +@{exec_path} = @{lib}/{,gdm/}gdm-{x,wayland}-session +profile gdm-session @{exec_path} { include include + include include include include @@ -26,6 +27,7 @@ profile gdm-wayland-session @{exec_path} { signal (send) set=(term) peer=dbus-daemon, signal (send) set=(term) peer=dbus-run-session, signal (send) set=(term) peer=gnome-session-binary, + signal (send) set=term peer=xorg, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -65,6 +67,11 @@ profile gdm-wayland-session @{exec_path} { @{lib}/gnome-session-binary rPx, @{lib}/xdg-permission-store rPx, + # only: xorg + @{bin}/Xorg rPx, + /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Xsession rPx, + /usr/share/dbus-1/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/accessibility.conf r, @@ -75,6 +82,7 @@ profile gdm-wayland-session @{exec_path} { /usr/share/libdebuginfod-common/debuginfod.sh r, @{etc_ro}/profile.d/{,*} r, + /etc/dbus-1/{,**} r, /etc/debuginfod/{,*} r, /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, @@ -89,20 +97,24 @@ profile gdm-wayland-session @{exec_path} { /etc/sysconfig/proxy r, /etc/sysconfig/windowmanager r, + /var/lib/gdm{3,}/.cache/gdm/ rw, + /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{HOME}/.alias r, owner @{HOME}/.i18n r, - @{run}/gdm{3,}/custom.conf r, + @{run}/gdm{3,}/custom.conf r, + @{run}/systemd/userdb/ r, @{run}/systemd/users/@{uid} r, - @{run}/user/@{uid}/at-spi/ w, - @{run}/user/@{uid}/at-spi/bus w, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, + owner @{run}/user/@{uid}/gdm/ w, + owner @{run}/user/@{uid}/gdm/Xauthority rw, # only: xorg - owner /tmp/dbus-@{rand10} w, + @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pids}/oom_score_adj rw, @@ -113,5 +125,5 @@ profile gdm-wayland-session @{exec_path} { /dev/tty@{int} rw, - include if exists + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index dd15a5b1..10fe1519 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -33,7 +33,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=gdm, signal (receive) set=hup peer=@{systemd}, - signal (send) set=(hup term) peer=gdm-{x,wayland}-session, + signal (send) set=(hup term) peer=gdm-session, signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=dbus-run-session, @@ -64,8 +64,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-keyring-daemon rPx, @{bin}/unix_chkpwd rPx, @{etc_ro}/X11/xdm/Xstartup rPUx, - @{lib}/{,gdm/}gdm-wayland-session rPx, - @{lib}/{,gdm/}gdm-x-session rPx, + @{lib}/{,gdm/}gdm-{x,wayland}-session rPx -> gdm-session, /etc/gdm{3,}/{Pre,Post}Session/Default rix, /etc/gdm{3,}/PostLogin/Default rix, /etc/gdm{3,}/PrimeOff/Default rix, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session deleted file mode 100644 index 3d4a2583..00000000 --- a/apparmor.d/groups/gnome/gdm-x-session +++ /dev/null @@ -1,64 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{,gdm/}gdm-x-session -profile gdm-x-session @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=term peer=dbus-run-session, - signal (send) set=term peer=gnome-session-binary, - signal (send) set=term peer=xorg, - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - @{exec_path} mr, - - @{bin}/{true,false} rix, - @{bin}/dbus-daemon rix, - @{bin}/dbus-run-session rix, - @{bin}/gjs-console rPx, - @{bin}/gnome-session rix, - @{bin}/gsettings rPx, - @{bin}/Xorg rPx, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, - @{lib}/at-spi2-registryd rix, - @{lib}/dconf-service rPx, - @{lib}/gnome-session-binary rPx, - @{lib}/xdg-permission-store rPx, - - /etc/gdm{3,}/Prime/Default rix, - /etc/gdm{3,}/Xsession rPx, - - /usr/share/gdm/gdm.schemas r, - - /etc/gdm{3,}/custom.conf r, - /etc/gdm{3,}/daemon.conf r, - /etc/sysconfig/displaymanager r, - - /var/lib/gdm{3,}/.cache/gdm/ rw, - /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, - - @{run}/gdm{3,}/custom.conf r, - owner @{run}/user/@{uid}/gdm/ w, - owner @{run}/user/@{uid}/gdm/Xauthority rw, - - owner @{PROC}/@{pid}/fd/ r, - - /dev/tty@{int} rw, - - include if exists -}