feat(profile): improve gnome programs.

2025-07-06 21:58:20 +02:00 · 2025-07-06 21:58:20 +02:00 · 4f2abda92f
commit 4f2abda92f
parent f56163afb1
5 changed files with 15 additions and 3 deletions
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@ -29,6 +29,7 @@ profile epiphany-search-provider @{exec_path} {
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,

  owner @{user_cache_dirs}/epiphany/{,**} rwk,
+  owner @{user_config_dirs}/epiphany/{,**} rw,
  owner @{user_share_dirs}/epiphany/{,**} rwk,

  owner @{tmp}/ContentRuleList-@{rand6} rw,
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@ -16,6 +16,7 @@ profile gnome-extension-gsconnect @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
@ -29,6 +30,8 @@ profile gnome-extension-gsconnect @{exec_path} {
  network inet6 stream,
  network netlink raw,

+  #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect
+
  @{exec_path} mr,

  @{sh_path}          rix,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -173,6 +173,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{bin}/sensors                rPx,
  @{bin}/tecla                  rPx,
  @{bin}/Xwayland               rPx,
+  @{bin}/nvidia-smi             rPx, # FIXME; for extension only
+  @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx,
  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
  @{lib}/mutter-x11-frames      rPx,
  #aa:exec polkit-agent-helper
@ -227,6 +229,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{gdm_cache_dirs}/libgweather/ r,
+  owner @{gdm_cache_dirs}/nvidia/GLCache/ rw,
+  owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_config_dirs}/ibus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/ rw,
@ -234,11 +238,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{gdm_config_dirs}/pulse/ rw,
  owner @{gdm_config_dirs}/pulse/client.conf r,
  owner @{gdm_config_dirs}/pulse/cookie rwk,
+  owner @{gdm_local_dirs}/ w,
+  owner @{gdm_share_dirs}/ w,
  owner @{gdm_share_dirs}/applications/{,**} r,
  owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
  owner @{gdm_share_dirs}/icc/ rw,
-  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
  owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,
+  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,

  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
@ -263,7 +269,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/dbus-1/services/ r,
-  owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw,
+  owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw,
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
@ -271,7 +277,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/icc/ rw,
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
-  owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w,
+  owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w,

  owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@ -15,6 +15,7 @@ profile gnome-text-editor @{exec_path} {
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>

+  #aa:dbus own bus=session name=org.gnome.TextEditor
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -70,6 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/media@{int} r,