feat(profiles) add initial support for ubuntu 22.04

2022-05-21 16:49:45 +01:00 · 2022-05-21 16:49:45 +01:00 · 0dbe0d2790
commit 0dbe0d2790
parent 3ac7d41bf5
33 changed files with 253 additions and 121 deletions
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@ -30,6 +30,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
  /usr/share/pipewire/client.conf r,
  /usr/share/pipewire/pipewire-pulse.conf r,

+  /var/lib/gdm/.config/pulse/cookie rwk,
+
  owner @{run}/user/@{uid}/pulse/pid w,

  @{sys}/devices/virtual/dmi/id/product_name r,
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -35,6 +35,7 @@ profile polkit-agent-helper @{exec_path} {
  owner @{HOME}/.xsession-errors w,

  @{run}/faillock/[a-zA-z0-9]* rwk,
+  @{run}/systemd/userdb/io.systemd.DynamicUser w,

  include if exists <local/polkit-agent-helper>
 }
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -35,6 +35,8 @@ profile polkitd @{exec_path} {
  # System rules
  /etc/polkit-1/rules.d/ r,
  /etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
+  /etc/polkit-1/localauthority/{,**} r,
+  /etc/polkit-1/localauthority.conf.d/{,**} r,

  # Vendor rules
  /usr/share/polkit-1/rules.d/ r,
@ -46,9 +48,11 @@ profile polkitd @{exec_path} {
  /usr/share/polkit-1/actions/*.policy.choice r,

  owner /var/lib/polkit-1/.cache/ rw,
+        /var/lib/polkit-1/localauthority/{,**} r,

  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
+  @{run}/systemd/userdb/io.systemd.DynamicUser w,

  # Silencer
  deny /.cache/ rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -45,6 +45,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/dconf/user rw,

  owner @{PROC}/@{pids}/cgroup r,
+        @{PROC}/ r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -14,12 +14,20 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/user-download>
+  include <abstractions/user-read>

  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/ubuntu/applications/ r,
  /usr/share/X11/xkb/{,**} r,

+  /etc/gnome/defaults.list r,
+
+  /var/lib/snapd/desktop/icons/{,**} r,
+
+  owner @{user_share_dirs}/ r,
+
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,

--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -20,6 +20,8 @@ profile xdg-document-portal @{exec_path} {
  / r,

  owner @{user_share_dirs}/flatpak/db/documents r,
+
+  owner @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/doc/ rw,

  owner @{PROC}/@{pid}/fd/ r,