apparmor.d/profiles/sddm
2021-04-01 16:17:47 +01:00

204 lines
6.2 KiB
Text

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sddm
profile sddm @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/authentication>
include <abstractions/wutmp>
include <abstractions/dri-common>
include <abstractions/nameservice-strict>
# To remove the following errors:
# chown("/tmp/sddm-:0-YPUOCV", 123, 132) = -1 EPERM (Operation not permitted)
capability chown,
# To remove the following errors:
# sddm-helper[]: pam_keyinit(sddm-greeter:session): Unable to change GID to 132 temporarily
# sddm-helper[]: setgid( 132 ) failed for user: "sddm"
capability setgid,
# To remove the following errors:
# sddm-helper[]: pam_keyinit(sddm-greeter:session): Unable to change UID to 123 temporarily
# sddm-helper[]: pam_unix(sddm-greeter:session): session opened for user sddm by (uid=0)
capability setuid,
# To remove the following errors:
# sddm-helper[]: pam_limits(sddm-greeter:session): Could not set limit for 'nofile' to soft=1024,
# hard=1048576: Operation not permitted; uid=0,euid=0
# sddm-helper[*]: pam_limits(sddm-greeter:session): Could not set limit for 'memlock' to
# soft=1017930240, hard=1017930240: Operation not permitted; uid=0,euid=0
capability sys_resource,
# To be able to display messages
# sddm-greeter[98834]: Connected to the daemon.
# sddm[98806]: Message received from greeter: Connect
# ...
# sddm-greeter[98834]: Message received from daemon: Capabilities
# sddm-greeter[98834]: Message received from daemon: HostName
# ...
# sddm[98806]: Message received from greeter: Login
# ...
# sddm-greeter[98834]: Message received from daemon: LoginSucceeded
capability audit_write,
# To read the /var/lib/sddm/state.conf file
capability dac_read_search,
# Needed?
#capability sys_tty_config,
deny capability net_admin,
ptrace (trace) peer=@{profile_name},
signal (send) set=(kill, term) peer=xorg,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/sddm/sddm-helper rix,
/{usr/,}bin/{,ba,da}sh mrix,
/{usr/,}bin/sddm-greeter rPx,
/etc/sddm/Xsession rPx,
/{usr/,}bin/Xorg rPx,
/{usr/,}bin/xauth rCx -> xauth,
/{usr/,}bin/xsetroot rPx,
/{usr/,}bin/sway rPUx,
# System keyrings
/{usr/,}bin/gnome-keyring-daemon rPx,
/{usr/,}bin/kwalletd5 rPx,
# SDDM scripts
# What to do with it? (#FIXME#)
/usr/share/sddm/scripts/Xsetup rPUx,
/usr/share/sddm/scripts/Xstop rPUx,
/usr/share/sddm/scripts/wayland-session rPUx,
/usr/share/sddm/scripts/Xsession rPUx,
#/usr/share/sddm/scripts/Xsetup rCx -> sddm-scripts,
#/usr/share/sddm/scripts/Xstop rCx -> sddm-scripts,
#/usr/share/sddm/scripts/wayland-session rCx -> sddm-scripts,
#/usr/share/sddm/scripts/Xsession rCx -> sddm-scripts,
# Create kwallet dirs and files
owner @{HOME}/.local/share/kwalletd/ rw,
owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw,
@{HOME}/.local/share/kwalletd/kdewallet.salt r,
owner @{run}/user/[0-9]*/kwallet5.socket rw,
# Themes
/usr/share/sddm/themes/** r,
/usr/share/plasma/desktoptheme/** r,
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
# List of graphical sessions
/usr/share/xsessions/{,*.desktop} r,
/usr/share/wayland-sessions/{,*.desktop} r,
owner /var/lib/sddm/** rw,
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,
/var/lib/sddm/state.conf rw,
/etc/sddm.conf.d/{,*} r,
/etc/sddm.conf r,
# User avatars
/usr/share/sddm/faces/.*.icon r,
/var/lib/AccountsService/icons/*.icon r,
# QT
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/*.so mr,
/{usr/,}lib/@{multiarch}/qt5/plugins/plasma/dataengine/*.so mr,
/{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/**.qmlc mr,
/{usr/,}lib/@{multiarch}/qt5/qml/QtQuick/Controls/Private/*.jsc mr,
# TMP files
owner /tmp/sddm-auth* rw,
/tmp/sddm-* rw,
owner /tmp/*/{,s} rw,
owner @{run}/sddm/ rw,
@{run}/sddm/* w,
# Session error logs
# Creating the dir structure is needed when a new user is logging in for the very first time
# using SDDM.
owner @{HOME}/.local/ w,
owner @{HOME}/.local/share/ w,
owner @{HOME}/.local/share/sddm/ w,
/{usr/,}lib/@{multiarch}/ld-*.so mr,
/etc/security/limits.d/ r,
owner @{HOME}/.Xauthority rw,
/etc/default/locale r,
/etc/environment r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/1/limits r,
@{PROC}/sys/kernel/core_pattern r,
/ r,
# Run SDDM on a specific TTY
/dev/tty[0-9]* rw,
@{run}/systemd/sessions/[0-9]*.ref rw,
profile sddm-scripts {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bash>
/usr/share/sddm/scripts/Xsetup r,
/usr/share/sddm/scripts/Xstop r,
/usr/share/sddm/scripts/wayland-session r,
/usr/share/sddm/scripts/Xsession r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/zsh rix,
/{usr/,}bin/id rix,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/sway rPUx,
/{usr/,}bin/dbus-run-session rix,
/{usr/,}bin/dbus-daemon rPUx,
}
profile xauth {
include <abstractions/base>
/{usr/,}bin/xauth mr,
owner @{HOME}/.Xauthority-c w,
owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c,
owner @{HOME}/.Xauthority-n rw,
owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw,
owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n,
}
include if exists <local/sddm>
}