# apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/pulseaudio profile pulseaudio @{exec_path} { include include include include include ptrace (trace) peer=@{profile_name}, signal (receive) peer=pacmd, network inet stream, network inet6 stream, network netlink raw, network bluetooth stream, network bluetooth seqpacket, @{exec_path} mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, # PulseAudio files /usr/share/pulseaudio/** r, /{usr/,}lib/pulse-*/modules/*.so mr, # PulseAudio home config files owner @{HOME}/.config/pulse/{,**} rw, # Needed when PulseAudio is started via the start-pulseaudio-x11 script owner @{HOME}/.Xauthority r, # TCP wrap /etc/hosts.{allow,deny} r, owner @{run}/user/[0-9]*/ rw, owner @{run}/user/[0-9]*/pulse/{,*} rw, /usr/share/applications/{,**} r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/sound/ r, @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{run}/udev/data/+sound* r, @{run}/udev/data/c116:[0-9]* r, # For ALSA @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, @{run}/systemd/users/[0-9]* r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, /var/lib/dbus/machine-id r, /etc/machine-id r, # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. owner @{run}/user/[0-9]*/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, # For SDDM owner /var/lib/sddm/.config/pulse/ rw, owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw, owner /var/lib/sddm/.config/pulse/*-default-{sink,source} rw, owner /var/lib/sddm/.config/pulse/*-card-database.tdb rw, owner /var/lib/sddm/.config/pulse/cookie rwk, # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, include if exists }