apparmor/profiles/apparmor.d/Xorg

# vim:syntax=apparmor
# Author: Daniel Richard G. <skunk@iSKUNK.ORG>

# Related:
#   https://bugs.launchpad.net/bugs/1292324
#   https://github.com/canonical/lightdm/issues/18

abi <abi/4.0>,

include <tunables/global>

# Note: attach_disconnected appears necessary in rootless mode
profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/fonts>
  include <abstractions/mesa>
  include <abstractions/nameservice>
  include <abstractions/vulkan>
  include <abstractions/X>

  capability dac_override,
  capability ipc_owner,
  capability perfmon,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_nice,
  capability sys_rawio,

  network netlink raw,

  signal (receive) set=(hup, term),
  signal (send) set=(usr1),

  unix (accept, bind, listen, receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*",

  dbus (send)
    bus=system
    path=/org/freedesktop/login1
    interface=org.freedesktop.login1.Manager
    member=GetSessionByPID
    peer=(name=org.freedesktop.login1),

  dbus (send)
    bus=system
    path=/org/freedesktop/login1/session/*
    interface=org.freedesktop.login1.Session
    member={PauseDeviceComplete,ReleaseControl,ReleaseDevice,TakeControl,TakeDevice}
    peer=(name=org.freedesktop.login1),

  dbus (receive)
    bus=system
    path=/org/freedesktop/login1/session/*
    interface=org.freedesktop.login1.Session
    member=PauseDevice,

  /{,usr/}bin/{bash,dash,sh} ix,
  /usr/bin/xkbcomp           ix,

  @{PROC}/cmdline         r,
  @{PROC}/@{pid}/cmdline  r,
  @{PROC}/ioports         r,
  @{PROC}/mtrr            rw,

  @{sys}/**/              r,
  @{sys}/devices/**       r,
  @{sys}/module/**        r,

  @{sys}/devices/pci*/**/backlight/*/brightness rw,

  # Display managers
  @{run}/user/@{uid}/gdm/* r,
  @{run}/lightdm/**        r,
  @{run}/lxdm/*            r,
  @{run}/sddm/*            r,
  @{run}/slim.auth         r,
  /var/lib/wdm/**          r,
  /var/lib/xdm/**          r,

  @{run}/nvidia-xdriver-*  rw,	# TODO: double-check
  @{run}/udev/data/**      r,

  /dev/dri/card[0-9]*      r,
  /dev/fb0                 rw,
  /dev/input/event*        rw,
  /dev/tty[0-9]*           rw,
  /dev/vga_arbiter         rw,

  /etc/X11/** r,

  owner /tmp/.tX[0-9]*-lock    rw,
  owner /tmp/.X[0-9]*-lock     wl,
  owner /tmp/serverauth.*      r,    # startx(1)
  owner /tmp/server-[0-9]*.xkm rw,

  /usr/lib/xorg/modules/   r,
  /usr/lib/xorg/modules/** mr,
  /usr/share/**            r,

  owner /var/lib/xkb/**                 rw,
  owner /var/log/Xorg.pid-[1-9]*.log    rw,
  owner /var/log/Xorg.[0-9]*.log{,.old} rw,

  # Rootless mode (gdm3, startx)
  owner @{HOME}/.local/                                        w,
  owner @{HOME}/.local/share/                                  w,
  owner @{HOME}/.local/share/xorg/                             w,
  owner @{HOME}/.local/share/xorg/Xorg.pid-[1-9]*.log          rw,
  owner @{HOME}/.local/share/xorg/Xorg.[0-9]*.log{,.old}       rw,
  owner /var/lib/gdm*/.cache/mesa_shader_cache/                rw,
  owner /var/lib/gdm*/.cache/mesa_shader_cache/**              rwk,
  owner /var/lib/gdm*/.local/share/xorg/Xorg.pid-[1-9]*.log    rw,
  owner /var/lib/gdm*/.local/share/xorg/Xorg.[0-9]*.log{,.old} rw,

  # When running without a kernel mode-setting (KMS) driver, Xorg may need
  # these additional permissions. DO NOT enable these unless necessary!
  #nokms#/dev/mem rw,
  #nokms#@{sys}/devices/pci[0-9]*/*/*/resource[0-9] w,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/Xorg>
}
Add profile for Xorg (X server) 2023-07-25 16:37:30 -04:00			`# vim:syntax=apparmor`
			`# Author: Daniel Richard G. <skunk@iSKUNK.ORG>`

			`# Related:`
			`# https://bugs.launchpad.net/bugs/1292324`
			`# https://github.com/canonical/lightdm/issues/18`

Xorg: Bump ABI to 4.0, and document access needed on non-KMS systems 2024-05-07 00:53:16 -04:00			`abi <abi/4.0>,`
Add profile for Xorg (X server) 2023-07-25 16:37:30 -04:00
			`include <tunables/global>`

			`# Note: attach_disconnected appears necessary in rootless mode`
			`profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {`
			`include <abstractions/base>`
			`include <abstractions/dbus-strict>`
			`include <abstractions/fonts>`
			`include <abstractions/mesa>`
			`include <abstractions/nameservice>`
			`include <abstractions/vulkan>`
			`include <abstractions/X>`

			`capability dac_override,`
			`capability ipc_owner,`
			`capability perfmon,`
			`capability setgid,`
			`capability setuid,`
			`capability sys_admin,`
			`capability sys_nice,`
			`capability sys_rawio,`

			`network netlink raw,`

			`signal (receive) set=(hup, term),`
			`signal (send) set=(usr1),`

			`unix (accept, bind, listen, receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*",`

			`dbus (send)`
			`bus=system`
			`path=/org/freedesktop/login1`
			`interface=org.freedesktop.login1.Manager`
			`member=GetSessionByPID`
			`peer=(name=org.freedesktop.login1),`

			`dbus (send)`
			`bus=system`
			`path=/org/freedesktop/login1/session/*`
			`interface=org.freedesktop.login1.Session`
			`member={PauseDeviceComplete,ReleaseControl,ReleaseDevice,TakeControl,TakeDevice}`
			`peer=(name=org.freedesktop.login1),`

			`dbus (receive)`
			`bus=system`
			`path=/org/freedesktop/login1/session/*`
			`interface=org.freedesktop.login1.Session`
			`member=PauseDevice,`

			`/{,usr/}bin/{bash,dash,sh} ix,`
			`/usr/bin/xkbcomp ix,`

			`@{PROC}/cmdline r,`
			`@{PROC}/@{pid}/cmdline r,`
			`@{PROC}/ioports r,`
			`@{PROC}/mtrr rw,`

			`@{sys}/**/ r,`
			`@{sys}/devices/** r,`
			`@{sys}/module/** r,`

			`@{sys}/devices/pci//backlight//brightness rw,`

			`# Display managers`
			`@{run}/user/@{uid}/gdm/* r,`
			`@{run}/lightdm/** r,`
			`@{run}/lxdm/* r,`
			`@{run}/sddm/* r,`
			`@{run}/slim.auth r,`
			`/var/lib/wdm/** r,`
			`/var/lib/xdm/** r,`

			`@{run}/nvidia-xdriver-* rw, # TODO: double-check`
			`@{run}/udev/data/** r,`

			`/dev/dri/card[0-9]* r,`
			`/dev/fb0 rw,`
			`/dev/input/event* rw,`
			`/dev/tty[0-9]* rw,`
			`/dev/vga_arbiter rw,`

			`/etc/X11/** r,`

profiles: updates from testing on Ubuntu 24.04/noble 2024-05-07 00:46:11 -04:00			`owner /tmp/.tX[0-9]*-lock rw,`
Add profile for Xorg (X server) 2023-07-25 16:37:30 -04:00			`owner /tmp/.X[0-9]*-lock wl,`
			`owner /tmp/serverauth.* r, # startx(1)`
			`owner /tmp/server-[0-9]*.xkm rw,`

			`/usr/lib/xorg/modules/ r,`
			`/usr/lib/xorg/modules/** mr,`
			`/usr/share/** r,`

			`owner /var/lib/xkb/** rw,`
			`owner /var/log/Xorg.pid-[1-9]*.log rw,`
			`owner /var/log/Xorg.[0-9]*.log{,.old} rw,`

			`# Rootless mode (gdm3, startx)`
			`owner @{HOME}/.local/ w,`
			`owner @{HOME}/.local/share/ w,`
			`owner @{HOME}/.local/share/xorg/ w,`
			`owner @{HOME}/.local/share/xorg/Xorg.pid-[1-9]*.log rw,`
			`owner @{HOME}/.local/share/xorg/Xorg.[0-9]*.log{,.old} rw,`
			`owner /var/lib/gdm*/.cache/mesa_shader_cache/ rw,`
			`owner /var/lib/gdm/.cache/mesa_shader_cache/* rwk,`
			`owner /var/lib/gdm/.local/share/xorg/Xorg.pid-[1-9].log rw,`
			`owner /var/lib/gdm/.local/share/xorg/Xorg.[0-9].log{,.old} rw,`

Xorg: Bump ABI to 4.0, and document access needed on non-KMS systems 2024-05-07 00:53:16 -04:00			`# When running without a kernel mode-setting (KMS) driver, Xorg may need`
			`# these additional permissions. DO NOT enable these unless necessary!`
			`#nokms#/dev/mem rw,`
			`#nokms#@{sys}/devices/pci[0-9]//*/resource[0-9] w,`

Add profile for Xorg (X server) 2023-07-25 16:37:30 -04:00			`# Site-specific additions and overrides. See local/README for details.`
			`include if exists <local/Xorg>`
			`}`