feat(profile): revisit electron based profiles.

- cleanup and enforce signal - fix discord fix #773 #777
2025-08-14 15:40:52 +02:00 · 2025-08-14 15:40:52 +02:00 · 38ac0f580d
commit 38ac0f580d
parent d8875ab826
13 changed files with 22 additions and 40 deletions
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@ -16,6 +16,7 @@
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} {
  @{exec_path} r,
-  @{sh_path}       rix,
+  @{sh_path}       r,
  @{bin}/{,e}grep  rix,
  @{bin}/basename  rix,
  @{bin}/cat        ix,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -28,7 +28,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mrix,
  @{sh_path} rix,
-  @{bin}/gsettings     rix,
+  @{bin}/gsettings     rPx,
  @{open_path}         rPx -> child-open-browsers,
  owner @{user_cache_dirs}/dconf/user rw,
--- a/apparmor.d/profiles-a-f/discord
+++ b/apparmor.d/profiles-a-f/discord
@ -13,7 +13,7 @@ include <tunables/global>
@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB}
-profile discord @{exec_path} {
+profile discord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
@ -31,13 +31,15 @@ profile discord @{exec_path} {
  @{exec_path} mrix,
  @{sh_path}    rix,
  @{bin}/lsb_release rPx,
  @{lib_dirs}/chrome-sandbox rix,
  @{lib_dirs}/chrome_crashpad_handler rix,
  @{bin}/lsb_release   rPx,
  @{bin}/xdg-mime      rPx,
  @{open_path}         rPx -> child-open-strict,
  /etc/ r,
  /etc/lsb-release r,
  owner @{user_videos_dirs}/{,**} rwl,
@ -52,6 +54,7 @@ profile discord @{exec_path} {
  owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/task/@{tid}/comm r,
  include if exists <local/discord>
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@ -30,11 +30,9 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{sh_path} r,
  @{open_path}         rPx -> child-open-strict,
  #aa:stack X xdg-settings
  @{bin}/xdg-settings  rPx -> element-desktop//&xdg-settings,
  @{open_path}          Px -> child-open-strict,
  /usr/share/webapps/element/{,**} r,
--- a/apparmor.d/profiles-a-f/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@ -34,10 +34,9 @@ profile freetube @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mrix,
  @{open_path}         rPx -> child-open-strict,
  #aa:stack X xdg-settings
  @{bin}/xdg-settings  rPx -> freetube//&xdg-settings,
  @{open_path}         rPx -> child-open-strict,
  deny @{sys}/devices/@{pci}/usb@{int}/** r,
  deny /dev/ r,
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@ -17,7 +17,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/audio-client>
  include <abstractions/common/electron>
  include <abstractions/fontconfig-cache-read>
  network netlink raw,
  network netlink dgram,
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@ -13,7 +13,7 @@ include <tunables/global>
@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton*
-profile protonmail @{exec_path} flags=(complain) {
+profile protonmail @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus/org.freedesktop.secrets>
@ -24,11 +24,12 @@ profile protonmail @{exec_path} flags=(complain) {
  network inet6 dgram,
  network netlink raw,
-  ptrace read peer=xdg-settings,
+  ptrace read peer=protonmail//&xdg-settings,
  @{exec_path} mrix,
-  @{bin}/xdg-settings Px,
+  #aa:stack X xdg-settings
  @{bin}/xdg-settings  rPx -> protonmail//&xdg-settings,
  @{open_path}          Px -> child-open,
  owner @{user_config_dirs}/ibus/bus/ r,
@ -38,7 +39,6 @@ profile protonmail @{exec_path} flags=(complain) {
  owner @{tmp}/gtkprint_ppd_@{rand6} rw,
  include if exists <local/protonmail>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@ -21,7 +21,6 @@ profile signal-desktop @{exec_path} {
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/common/electron>
  include <abstractions/devices-usb-read>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/user-download-strict>
  include <abstractions/video>
@ -31,31 +30,19 @@ profile signal-desktop @{exec_path} {
  network inet6 stream,
  network netlink raw,
  ptrace read peer=signal-desktop//&xdg-settings,
  @{exec_path} mrix,
-  @{bin}/getconf       rix,
+  @{lib_dirs}/chrome_crashpad_handler rix,
-  @{open_path}         rPx -> child-open-strict,
+  @{lib_dirs}/chrome-sandbox rPx,
  #aa:stack X xdg-settings
  @{bin}/xdg-settings  rPx -> signal-desktop//&xdg-settings,
-
+  @{open_path}         rPx -> child-open-strict,
  audit @{lib_dirs}/chrome-sandbox rPx,
  @{lib_dirs}/chrome_crashpad_handler rix,
  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/vmstat r,
  /dev/tty rw,
  include if exists <local/signal-desktop>
 }
--- a/apparmor.d/profiles-s-z/wechat
+++ b/apparmor.d/profiles-s-z/wechat
@ -17,7 +17,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio-client>
  include <abstractions/common/electron>
  include <abstractions/consoles>
  include <abstractions/fontconfig-cache-read>
  network netlink raw,
  network netlink dgram,
--- a/apparmor.d/profiles-s-z/wechat-appimage
+++ b/apparmor.d/profiles-s-z/wechat-appimage
@ -17,7 +17,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio-client>
  include <abstractions/common/electron>
  include <abstractions/consoles>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/path>
  network netlink raw,
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@ -18,7 +18,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/common/bwrap>
  include <abstractions/common/electron>
  include <abstractions/consoles>
  include <abstractions/fontconfig-cache-read>
  network netlink raw,
  network netlink dgram,
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -75,7 +75,7 @@ deb-systemd-invoke complain
 debconf-escape complain
 decibels complain
 dino attach_disconnected,complain
-discord complain
+discord attach_disconnected,complain
 discord-chrome-sandbox complain
 DiscoverNotifier complain
 dkms attach_disconnected,complain
@ -281,8 +281,6 @@ sddm attach_disconnected,mediate_deleted,complain
 sddm-greeter complain
 secure-time-sync attach_disconnected,complain
 sftp-server complain
 signal-desktop attach_disconnected,complain
 signal-desktop-chrome-sandbox complain
 sing-box complain
 slirp4netns attach_disconnected,complain
 snap complain