felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: better wayland client integration.

Browse source
This commit is contained in:
Alexandre Pujol 2023-05-27 23:54:53 +01:00
parent 55da5276dd
commit 3c41453591
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
29 changed files with 36 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/gnome/gjs-console
View file

@ -21,6 +21,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/vulkan>
include <abstractions/wayland>
network netlink raw,
@ -99,9 +100,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/groups/gnome/gnome-calculator-search-provider
View file

@ -17,6 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} {
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/wayland>
signal (send) set=kill peer=unconfined,
@ -28,7 +29,6 @@ profile gnome-calculator-search-provider @{exec_path} {
/usr/share/icons/{,**} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/cmdline r,

5
apparmor.d/groups/gnome/gnome-characters-backgroudservice
View file

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
profile gnome-characters-backgroudservice @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/wayland>
@{exec_path} mr,
@ -24,8 +25,6 @@ profile gnome-characters-backgroudservice @{exec_path} {
/etc/gtk-3.0/settings.ini r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,

4
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View file

@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-control-center-print-renderer
profile gnome-control-center-print-renderer @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
@ -20,6 +20,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
include <abstractions/vulkan>
include <abstractions/wayland>
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
@ -44,7 +45,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
owner @{user_share_dirs}/icons/{,**} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,

2
apparmor.d/groups/gnome/gnome-control-center-search-provider
View file

@ -18,6 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} {
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/wayland>
@{exec_path} mr,
@ -26,7 +27,6 @@ profile gnome-control-center-search-provider @{exec_path} {
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
include if exists <local/gnome-control-center-search-provider>
}

6
apparmor.d/groups/gnome/gnome-session-binary
View file

@ -9,17 +9,18 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-session-binary
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
network inet stream,
@ -230,7 +231,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
owner @{run}/user/@{uid}/systemd/notify w,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@{sys}/devices/**/{vendor,device} r,

2
apparmor.d/groups/gnome/gnome-shell
View file

@ -32,6 +32,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
include <abstractions/thumbnails-cache-read>
include <abstractions/video>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X-strict>
capability sys_nice,
@ -589,7 +590,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

3
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -15,6 +15,7 @@ profile gnome-terminal-server @{exec_path} {
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/wayland>
signal (send) set=(term hup kill) peer=unconfined,
ptrace (read) peer=unconfined,
@ -47,8 +48,6 @@ profile gnome-terminal-server @{exec_path} {
owner @{user_config_dirs}/*xdg-terminals.list* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /tmp/#[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-color
View file

@ -17,6 +17,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -134,8 +135,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/icc/edid-*.icc rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /dev/tty[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-keyboard
View file

@ -17,6 +17,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -108,8 +109,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /dev/tty[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-media-keys
View file

@ -19,6 +19,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -183,8 +184,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
owner /dev/tty[0-9]* rw,

3
apparmor.d/groups/gnome/gsd-power
View file

@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
network netlink raw,
@ -183,8 +184,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:*backlight* r,

7
apparmor.d/groups/gnome/gsd-wacom
View file

@ -9,13 +9,14 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-wacom
profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
signal (receive) set=(term, hup) peer=gdm*,
@ -107,8 +108,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
/usr/share/mime/mime.cache r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9] rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,

3
apparmor.d/groups/gnome/gsd-xsettings
View file

@ -20,6 +20,7 @@ profile gsd-xsettings @{exec_path} {
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/wayland>
network inet stream,
network inet6 stream,
@ -143,8 +144,6 @@ profile gsd-xsettings @{exec_path} {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,