felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): enable desktop user variable everywhere.

Browse source 
Also restrict access to these files.
This commit is contained in:
Alexandre Pujol 2024-03-19 11:26:57 +00:00
parent a370281e9b
commit 3787eb1745
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
26 changed files with 80 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/freedesktop/dconf
View file

@ -21,8 +21,8 @@ profile dconf @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/dconf/{,**} r,
/var/lib/gdm{3,}/ r,
/var/lib/gdm{3,}/greeter-dconf-defaults{,.@{rand6}} rw,
owner @{GDM_HOME}/ r,
owner @{GDM_HOME}/greeter-dconf-defaults{,.@{rand6}} rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

6
apparmor.d/groups/freedesktop/dconf-service
View file

@ -25,9 +25,9 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm{3,}/.config/dconf/ rw,
/var/lib/gdm{3,}/.config/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/user.* rw,
owner @{desktop_config_dirs}/dconf/ rw,
owner @{desktop_config_dirs}/dconf/user rw,
owner @{desktop_config_dirs}/dconf/user.* rw,
owner @{user_config_dirs}/dconf/ rw,
owner @{user_config_dirs}/dconf/user{,.*} rw,

2
apparmor.d/groups/freedesktop/pipewire
View file

@ -44,8 +44,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
/etc/pipewire/{,**} r,
/var/lib/gdm{3,}/.config/pulse/cookie rk,
/ r,
/.flatpak-info r,

2
apparmor.d/groups/freedesktop/pipewire-media-session
View file

@ -43,7 +43,7 @@ profile pipewire-media-session @{exec_path} {
/etc/pipewire/*.conf r,
/etc/pipewire/media-session.d/*.conf r,
/var/lib/gdm{3,}/.local/state/pipewire/media-session.d/* rw,
owner @{desktop_local_dirs}/state/pipewire/media-session.d/* rw,
owner @{user_state_dirs}/ rw,
owner @{user_state_dirs}/pipewire/{,**} rw,

2
apparmor.d/groups/freedesktop/pipewire-pulse
View file

@ -31,8 +31,6 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
/ r,
/.flatpak-info r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
owner @{run}/user/@{uid}/pulse/pid w,
owner /tmp/librnnoise-@{int}.so rm,

24
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -91,25 +91,11 @@ profile pulseaudio @{exec_path} {
/var/lib/snapd/desktop/applications/ r,
# For GDM
owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw,
owner /var/lib/gdm{[1-9],}/.config/pulse/cookie k,
owner /var/lib/gdm{[1-9],}/.config/dconf/user r,
# For SDDM
owner /var/lib/sddm/.config/pulse/ rw,
owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw,
owner /var/lib/sddm/.config/pulse/*-default-{sink,source} rw,
owner /var/lib/sddm/.config/pulse/*-card-database.tdb rw,
owner /var/lib/sddm/.config/pulse/cookie rwk,
# For lightdm
owner /var/lib/lightdm/.config/ w,
owner /var/lib/lightdm/.config/pulse/{,**} rw,
owner /var/lib/lightdm/.config/pulse/cookie k,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{desktop_cache_dirs}/gstreamer-1.0/ rw,
owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
owner @{desktop_config_dirs}/dconf/user r,
owner @{desktop_config_dirs}/pulse/{,**} rw,
owner @{desktop_config_dirs}/pulse/cookie k,
owner @{user_config_dirs}/ w,
owner @{user_config_dirs}/pulse/{,**} rw,

5
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -66,9 +66,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {
/usr/share/dconf/profile/gdm r,
/usr/share/thumbnailers/{,**} r,
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/snapd/desktop/icons/{,**} r,
owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
owner @{HOME}/*/{,**} rw,

7
apparmor.d/groups/freedesktop/xorg
View file

@ -74,10 +74,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
owner /var/log/Xorg.@{int}.log{,.old} rw,
owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,
/var/lib/gdm{3,}/.local/share/xorg/ rw,
/var/lib/gdm{3,}/.local/share/xorg/Xorg.@{int}.log{,.old} rw,
/var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner @{desktop_share_dirs}/xorg/ rw,
owner @{desktop_share_dirs}/xorg/Xorg.@{int}.log{,.old} rw,
owner @{desktop_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw,
@{run}/nvidia-xdriver-* rw,
@{run}/sddm/{,**} rw,

2
apparmor.d/groups/freedesktop/xwayland
View file

@ -28,8 +28,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
/usr/share/fonts/{,**} r,
/usr/share/ghostscript/fonts/{,**} r,
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner /tmp/server-@{int}.xkm rwk,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
owner @{run}/user/@{uid}/server-@{int}.xkm rw,