diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 924eceb55..801c37020 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -5,11 +5,13 @@ owner @{HOME}/.icons/{,**} r, - @{system_share_dirs}/*ubuntu/applications/{**,} r, - @{system_share_dirs}/gnome/applications/{**,} r, - @{system_share_dirs}/xfce4/applications/{**,} r, + @{system_share_dirs}/*ubuntu/applications/{,**} r, + @{system_share_dirs}/gnome/applications/{,**} r, + @{system_share_dirs}/xfce4/applications/{,**} r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict new file mode 100644 index 000000000..1b4ea2b04 --- /dev/null +++ b/apparmor.d/abstractions/gnome-strict @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + include + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + + @{lib}/{,/@{multiarch}/}gtk*/** mr, + + /usr/{local/,}share/ r, + /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, + /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + + /etc/gnome/* r, + /etc/xdg/{,*-}mimeapps.list r, + + /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + + owner @{HOME}/.local/ rw, + owner @{user_cache_dirs}/ rw, + owner @{user_config_dirs}/ rw, + owner @{user_share_dirs}/ rw, + + include if exists