feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
43ab1d064d
commit
197c1bd78a
43 changed files with 148 additions and 236 deletions
|
|
@ -11,13 +11,11 @@ profile epiphany-search-provider @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/enchant>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
capability kill,
|
||||
capability net_admin,
|
||||
capability sys_nice,
|
||||
capability sys_tty_config,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -32,6 +33,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
signal (send) set=(term) peer=gdm-session-worker,
|
||||
signal (send) set=(term) peer=gdm-session,
|
||||
signal (send) set=(term) peer=gnome-session-binary,
|
||||
signal (send) set=(term) peer=jackdbus,
|
||||
signal (send) set=(term) peer=tracker-miner,
|
||||
signal (send) set=(term) peer=xdg-*,
|
||||
signal (send) set=(term) peer=xorg,
|
||||
|
|
@ -52,10 +54,12 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/chvt rix,
|
||||
@{bin}/pidof rPx,
|
||||
@{bin}/plymouth rPx,
|
||||
@{bin}/prime-switch rPUx,
|
||||
@{bin}/sleep rix,
|
||||
@{bin}/systemd-cat rPx,
|
||||
@{lib}/{,gdm/}gdm-session-worker rPx,
|
||||
/etc/gdm{3,}/PrimeOff/Default rix,
|
||||
|
||||
|
|
@ -70,7 +74,10 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/sysconfig/displaymanager r,
|
||||
/etc/sysconfig/windowmanager r,
|
||||
|
||||
/var/{lib,log}/gdm{3,}/ rw,
|
||||
/var/lib/gdm{3,}/ rw,
|
||||
/var/lib/gdm{3,}/block-initial-setup rw,
|
||||
|
||||
/var/log/gdm{3,}/ rw,
|
||||
|
||||
owner @{GDM_HOME}/block-initial-setup rw,
|
||||
|
||||
|
|
@ -81,6 +88,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/gdm{3,}.pid rw,
|
||||
owner @{run}/gdm{3,}/ rw,
|
||||
owner @{run}/gdm{3,}/custom.conf r,
|
||||
owner @{run}/gdm{3,}/dbus/ w,
|
||||
owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
|
||||
owner @{run}/gdm{3,}/gdm.pid rw,
|
||||
|
||||
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||
|
|
@ -92,6 +101,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/1/environ r,
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ profile gdm-session @{exec_path} {
|
|||
|
||||
owner @{gdm_cache_dirs}/gdm/ rw,
|
||||
owner @{gdm_cache_dirs}/gdm/Xauthority rw,
|
||||
owner @{gdm_config_dirs}/.config/dconf/user r,
|
||||
owner @{gdm_config_dirs}/dconf/user r,
|
||||
owner @{GDM_HOME}/greeter-dconf-defaults r,
|
||||
|
||||
owner @{run}/gdm{3,}/custom.conf r,
|
||||
|
|
|
|||
|
|
@ -69,6 +69,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/wayland-sessions/*.desktop r,
|
||||
/usr/share/xsessions/gnome-xorg.desktop r,
|
||||
|
||||
# Add user; set password on first login
|
||||
/etc/.pwd.lock wk,
|
||||
/etc/nshadow rw,
|
||||
/etc/shadow w,
|
||||
|
||||
@{etc_ro}/environment r,
|
||||
@{etc_ro}/security/limits.d/{,*.conf} r,
|
||||
/etc/default/locale r,
|
||||
|
|
@ -93,30 +98,28 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/systemd/seats/seat@{int} r,
|
||||
owner @{run}/user/@{uid}/keyring/control rw,
|
||||
|
||||
@{run}/gdm{3,}/custom.conf r,
|
||||
owner @{run}/gdm{3,}/dbus/ w,
|
||||
owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
|
||||
|
||||
@{run}/cockpit/active.motd r,
|
||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||
@{run}/gdm{3,}/custom.conf r,
|
||||
@{run}/motd.d/{,*} r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
@{run}/utmp rwk,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/1/limits r,
|
||||
@{PROC}/keys r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
|
||||
owner @{PROC}/@{pid}/uid_map r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/1/limits r,
|
||||
@{PROC}/keys r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/tty@{int} rw,
|
||||
|
||||
# Add user; set password on first login
|
||||
/etc/.pwd.lock wk,
|
||||
/etc/nshadow rw,
|
||||
/etc/shadow w,
|
||||
|
||||
include if exists <local/gdm-session-worker>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,12 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/gkbd-keyboard-display
|
||||
profile gkbd-keyboard-display @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/dconf-write>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
include if exists <local/gkbd-keyboard-display>
|
||||
}
|
||||
|
|
@ -60,6 +60,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/language-tools/language2locale rix,
|
||||
/usr/share/language-tools/language-options rPUx,
|
||||
|
||||
@{open_path} rPx -> child-open-browsers,
|
||||
|
||||
/opt/**/share/icons/{,**} r,
|
||||
/snap/*/@{int}/**.png r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
|
|
@ -99,6 +101,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
|
||||
owner @{user_config_dirs}/background rw,
|
||||
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) {
|
|||
@{bin}/bwrap mr,
|
||||
@{bin}/*-thumbnailer rix,
|
||||
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -76,7 +76,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{etc_ro}/xdg/autostart/{,*.desktop} r,
|
||||
|
||||
owner @{gdm_cache_dirs}/gdm/Xauthority r,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{gdm_config_dirs}/dconf/user rw,
|
||||
owner @{gdm_config_dirs}/gnome-session/ rw,
|
||||
owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
|
||||
|
|
@ -140,7 +139,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
|
||||
@{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx,
|
||||
@{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
|
||||
@{lib}/baloo_file rPx,
|
||||
@{lib}/caribou/caribou rPUx,
|
||||
@{lib}/deja-dup/deja-dup-monitor rPx,
|
||||
@{lib}/gsd-disk-utility-notify rPx,
|
||||
|
|
@ -149,6 +147,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
@{thunderbird_path} rPx,
|
||||
/usr/share/libpam-kwallet-common/pam_kwallet_init rPUx,
|
||||
|
||||
#aa:exec baloo
|
||||
#aa:exec evolution-alarm-notify
|
||||
@{lib}/kdeconnectd rPUx,
|
||||
@{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx,
|
||||
|
|
|
|||
|
|
@ -87,6 +87,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
# Talk with gnome-shell
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
|
||||
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
|
||||
|
||||
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
|
||||
|
|
@ -109,15 +110,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
member={RegisterWithCapabilities,Unregister}
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member=DeleteDevice
|
||||
peer=(name=:*, label=colord),
|
||||
dbus receive bus=system path=/org/freedesktop/ColorManager
|
||||
interface=org.freedesktop.ColorManager
|
||||
member=ProfileAdded
|
||||
peer=(name=:*, label=colord),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
|
|
@ -252,11 +244,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
|
||||
owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
|
||||
owner @{gdm_cache_dirs}/libgweather/ r,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/ rw,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/ rw,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex} rw,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
|
||||
owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
|
||||
owner @{gdm_config_dirs}/dconf/user r,
|
||||
owner @{gdm_config_dirs}/ibus/ rw,
|
||||
owner @{gdm_config_dirs}/ibus/bus/ rw,
|
||||
|
|
@ -314,7 +301,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
/tmp/.X@{int}-lock rw,
|
||||
/tmp/dbus-@{rand8} rw,
|
||||
owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
|
||||
owner /tmp/@{rand6}.shell-extension.zip rw,
|
||||
owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
|
||||
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
|
|
|||
|
|
@ -11,13 +11,9 @@ profile kgx @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-read>
|
||||
include <abstractions/trash-strict>
|
||||
|
||||
signal (send) set=(kill) peer=loupe//bwrap,
|
||||
|
||||
|
|
@ -23,6 +23,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/glycin-loaders/{,**} r,
|
||||
|
||||
/ r,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||
|
|
|
|||
|
|
@ -27,9 +27,9 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
|
|||
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
/usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r,
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
|
|
|
|||
|
|
@ -31,11 +31,23 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||
#aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files
|
||||
#aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.RSS
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=:*, label=nautilus),
|
||||
dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
|
||||
interface=org.freedesktop.Tracker3.Endpoint
|
||||
member=Query
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/tracker-extract-3 rix,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
|
||||
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/tracker3-miners/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue