feat(profiles): better integration with openSUSE.

See #134
2023-03-27 22:22:36 +01:00 · 2023-03-27 22:22:36 +01:00 · 41766ebd2a
commit 41766ebd2a
parent 4ca3ced1a5
20 changed files with 82 additions and 30 deletions
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -39,6 +39,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,

+  owner /tmp/runtime-cb/xauth_?????? r,
+
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  /var/lib/lightdm/.Xauthority r,
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -89,6 +89,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,

+  owner /tmp/runtime-cb/xauth_?????? r,
+
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -18,11 +18,11 @@ profile pulseaudio @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
+  include <abstractions/freedesktop.org>
  include <abstractions/gstreamer>
  include <abstractions/hosts_access>
  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>
-  include <abstractions/freedesktop.org>

  ptrace (trace) peer=@{profile_name},

@ -140,12 +140,13 @@ profile pulseaudio @{exec_path} {
  owner /var/lib/lightdm/.config/pulse/{,**}  rw,
  owner /var/lib/lightdm/.config/pulse/cookie   k,

+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+
  owner @{user_config_dirs}/ w,
  owner @{user_config_dirs}/pulse/{,**} rw,

  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
-       /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
-       /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,

  owner @{run}/user/@{uid}/ rw,
  owner @{run}/user/@{uid}/pulse/{,*} rw,
@ -167,6 +168,9 @@ profile pulseaudio @{exec_path} {
  owner @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/cmdline r,

+  /dev/media[0-9]* r,
+  /dev/video[0-9]* rw,
+
  # file_inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -111,6 +111,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/nautilus    rPx,
  /{usr/,}bin/snap        rPx,

+  /{usr/,}bin/kreadconfig5 rPUx,
  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
  /{usr/,}lib/xdg-desktop-portal-validate-icon             rPUx,
@ -142,5 +143,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/task/@{tid}/status r,
  owner @{PROC}/@{pids}/cgroup r,

+  /dev/tty rw,
+
  include if exists <local/xdg-desktop-portal>
 }
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -9,15 +9,18 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice-strict>
+  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dconf-write>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download>
  include <abstractions/user-write>
@ -153,10 +156,14 @@ profile xdg-desktop-portal-gtk @{exec_path} {

  / r,

+  owner /var/lib/xkb/server-[0-9]*.xkm rw,
+
  owner @{HOME}/ r,
  owner @{HOME}/.* r,
  owner @{HOME}/@{XDG_DATA_HOME}/ r,

+  owner /tmp/runtime-cb/xauth_?????? r,
+
        @{run}/mount/utab r,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -22,14 +22,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/opencl>
  include <abstractions/vulkan>

+  capability ipc_owner,
  capability setgid,
  capability setuid,
  capability sys_admin,

-  # These can be denied.
-  #deny capability dac_override,
-  #deny capability sys_rawio,
-  # deny capability sys_nice,
+  # These can be denied?
+  #audit capability dac_override,
+  #audit capability sys_rawio,
+  #audit capability sys_nice,
  #capability sys_tty_config,

  signal (send) set=(usr1),
@ -64,6 +65,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/xorg/modules/** mr,

  /var/lib/xkb/server-[0-9]*.xkm rw,
+  /var/lib/xkb/compiled/server-[0-9]*.xkm rw,

  /usr/share/egl/{,**} rw,
  /usr/share/libinput*/ r,
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -12,11 +13,13 @@ profile xprop @{exec_path} {

  @{exec_path} mr,

-  owner @{HOME}/.Xauthority r,
-
-  owner @{HOME}/.icons/default/index.theme r,
  /usr/share/icons/*/cursors/crosshair r,

+  owner @{HOME}/.Xauthority r,
+  owner @{HOME}/.icons/default/index.theme r,
+  
+  owner /tmp/runtime-cb/xauth_?????? r,
+
  # file_inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -17,7 +17,7 @@ profile xrdb @{exec_path} {
  /{usr/,}bin/{,ba,da}sh                  rix,
  /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]*  rix,
  /{usr/,}bin/cpp                         rix,
-  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
+  /{usr/,}lib{,32,64}/gcc/@{multiarch}/[0-9]*/cc1 rix,
  /{usr/,}lib/llvm-[0-9]*/bin/clang       rix,

  /usr/include/stdc-predef.h r,
@ -30,8 +30,9 @@ profile xrdb @{exec_path} {
  owner @{user_config_dirs}/Xresources/.Xresources r,
  owner @{user_config_dirs}/Xresources/* r,

-  owner /tmp/xauth-[0-9]*-_[0-9] r,
  owner /tmp/kcminit.* r,
+  owner /tmp/runtime-cb/xauth_?????? r,
+  owner /tmp/xauth-[0-9]*-_[0-9] r,

  # file_inherit
  owner /dev/tty[0-9]* rw,