feat(profile): general update.

2024-02-29 21:45:42 +00:00 · 2024-02-29 21:45:42 +00:00 · 06abeac2ee
commit 06abeac2ee
parent cd09dc7688
33 changed files with 154 additions and 47 deletions
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -51,7 +51,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {

  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
-       member=*Session
+       member={*Session,CreateSessionWithPIDFD}
       peer=(name=org.freedesktop.login1, label=systemd-logind),

  dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -45,6 +45,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
       member=GetActive
       peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell),

+  dbus send bus=session path=/org/gnome/Shell
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*, label=gnome-shell),
+  dbus send bus=session path=/org/gnome/Shell
+       interface=org.gnome.Shell.Extensions
+       member=ListExtensions
+       peer=(name=:*, label=gnome-shell),
+
  @{exec_path} mr,

  @{bin}/       r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -11,9 +11,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/dbus-session>
-  include <abstractions/dbus>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
@ -32,6 +32,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),

+  dbus bus=accessibility,
+  dbus bus=session,
+  dbus bus=system,
+
  @{exec_path} mr,

  @{bin}/@{shells}     rUx,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -16,6 +16,7 @@ profile gnome-extension-ding @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.gnome.ArchiveManager1>
  include <abstractions/bus/org.gnome.Nautilus.FileOperations2>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.gtk.vfs.Daemon>
@ -29,17 +30,13 @@ profile gnome-extension-ding @{exec_path} {

  unix (send,receive) type=stream addr=none peer=(label=gnome-shell),

-  # dbus: own bus=session name=com.rastersoft.ding
+  # dbus: own bus=session name=com.rastersoft.ding interface={org.freedesktop.DBus.Properties,org.gtk.Actions}
  # dbus: talk bus=session name=com.rastersoft.dingextension label=gnome-shell

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect 
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
-  dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=nautilus),

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus*
@ -48,6 +45,11 @@ profile gnome-extension-ding @{exec_path} {
       interface=org.freedesktop.DBus*
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

+  dbus send bus=session path=/org/gtk/vfs/metadata
+       interface=org.gtk.vfs.Metadata
+       member=Set
+       peer=(name=:*, label=gvfsd-metadata),
+
  @{exec_path} mr,

  @{sh_path}                   rix,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -9,15 +9,20 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-initial-setup
 profile gnome-initial-setup @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>

+  network inet stream,
+  network inet6 stream,
  network netlink raw,

-  # dbus: own bus=session name=org.gnome.InitialSetup
+  # dbus: own bus=session name=org.gnome.InitialSetup interface={org.freedesktop.DBus.Properties,org.gtk.Actions}

  @{exec_path} mr,

@ -35,6 +40,9 @@ profile gnome-initial-setup @{exec_path} {

  /var/lib/gdm{,3}/greeter-dconf-defaults r,

+        @{run}/systemd/sessions/@{int} r,
+  owner @{run}/systemd/users/@{uid} r,
+
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,

--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -14,7 +14,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/openssl>

@ -25,13 +24,18 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(term) peer=ssh-agent,

  # dbus: own bus=session name=org.gnome.keyring
-  # dbus: own bus=session name=org.freedesktop.secrets
+  # dbus: own bus=session name=org.freedesktop.{S,s}ecret{,s}

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

+  dbus send bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member=GetSession
+       peer=(name=org.freedesktop.login1, label=systemd-logind),
+
  @{exec_path} mr,

  @{bin}/ssh-add   rix,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -49,7 +49,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
-       peer=(name=org.freedesktop.systemd1, label=@{systemd}),
+       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -12,6 +12,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>

  capability sys_ptrace,
@ -24,9 +25,14 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {

  signal (send) set=(kill term cont stop),

+  # dbus: own bus=session name=org.gnome.SystemMonitor
+
  @{exec_path} mr,

+  @{bin}/lsblk  rPx,
  @{bin}/pkexec rPx,
+  @{bin}/sed    rix,
+  @{sh_path}    rix,

  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
@ -64,6 +70,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/statm r,
  @{PROC}/@{pids}/wchan r,
+  @{PROC}/diskstats r,
  @{PROC}/vmstat r,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -34,7 +34,7 @@ profile gnome-terminal-server @{exec_path} {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -13,7 +13,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.ColorManager>
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -27,6 +26,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {

  # dbus: own bus=session name=org.gnome.SettingsDaemon.Color

+  # dbus: talk bus=system name=org.freedesktop.ColorManager label=colord
+
  @{exec_path} mr,

  /usr/share/dconf/profile/gdm r,
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -39,6 +39,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

+  @{run}/systemd/sessions/@{int} r,
+  @{run}/systemd/users/@{uid} r,
+
+  @{PROC}/@{pid}/cgroup r,
+
  owner /dev/tty@{int} rw,

  include if exists <local/gsd-sharing>
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -26,6 +26,9 @@ profile mutter-x11-frames @{exec_path} {

  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
+  /var/lib/gdm{3,}/greeter-dconf-defaults r,
+
+  @{sys}/devices/@{pci}/boot_vga r,

  owner @{PROC}/@{pid}/cmdline r,