diff --git a/apparmor.d/profiles-m-r/pulseaudio b/apparmor.d/profiles-m-r/pulseaudio index b86869c20..fa5e9ea50 100644 --- a/apparmor.d/profiles-m-r/pulseaudio +++ b/apparmor.d/profiles-m-r/pulseaudio @@ -13,6 +13,8 @@ profile pulseaudio @{exec_path} { include include include +# include +# include include ptrace (trace) peer=@{profile_name}, @@ -62,23 +64,64 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{run}/udev/data/+sound* r, @{run}/udev/data/c116:[0-9]* r, # For ALSA - + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - @{run}/systemd/users/@{uid} r, - @{run}/user/@{uid}/ICEauthority r, + + owner @{run}/user/@{uid}/dconf/ w, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/ICEauthority r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + # DBus + owner @{run}/user/@{uid}/systemd/notify rw, + # include? + @{run}/dbus/system_bus_socket rw, + owner @{run}/user/@{uid}/bus rw, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + dbus (send) + bus=session + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName,AddMatch,RemoveMatch,GetNameOwner,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus (send) + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch} + peer=(name=org.freedesktop.DBus), + + dbus (receive) + bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus (bind) + bus=session + name=org.PulseAudio1, + + dbus (bind) + bus=session + name=org.freedesktop.ReserveDevice1.Audio0, + + dbus (send) + bus=system + path=/org/freedesktop/RealtimeKit1 + member={Get,MakeThreadHighPriority,MakeThreadRealtime}, + + unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/[0-9]*), + unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/[0-9]*), + # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. owner @{run}/user/@{uid}/orcexec.* mrw, @@ -99,5 +142,9 @@ profile pulseaudio @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + # Ubuntu + /var/lib/snapd/desktop/applications/ r, + /usr/{,local/}share/ubuntu/applications/{,*} r, + include if exists }