feat(profile): general update (2).

2024-01-28 22:33:45 +00:00 · 2024-01-28 22:33:45 +00:00 · 049e89b379
commit 049e89b379
parent 9b49999414
21 changed files with 69 additions and 26 deletions
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -63,9 +63,10 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
  @{sys}/class/ r,
-  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,removable,uevent} r,
+  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r,
+  @{sys}/module/apparmor/parameters/enabled r, # deny ?

  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@ -12,6 +12,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -21,16 +22,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
       member=MakeThreadRealtimeWithPID
       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),

-  dbus send bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=:*, label=at-spi2-registryd),
-
-  dbus send bus=session path=/
-       interface=org.freedesktop.DBus
-       member={AddMatch,GetNameOwner}
-       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
-
  @{exec_path} mr,

  owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -29,6 +29,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {

  network unix stream,

+  signal (receive) set=term peer=gdm,
+
  dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome,

  dbus send bus=session path=/org/gnome/Shell/Screenshot
@ -64,6 +66,10 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  @{bin}/ r,
  @{bin}/* r,

+  /usr/share/dconf/profile/gdm r,
+
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
+  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/*/{,**} rw,
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@ -34,9 +34,10 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  owner /tmp/server-@{int}.xkm rwk,

  /dev/dri/card@{int} rw,
+  /dev/fb@{int} rw,
  /dev/tty rw,
  /dev/tty@{int} rw,
-  
+
  deny /dev/input/event@{int} rw,
  deny /var/log/Xorg.@{int}.log w,

--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -23,6 +23,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability dac_read_search,
  capability ipc_owner,
+  capability net_admin,
  capability perfmon,
  capability setgid,
  capability setuid,