From 619aa709f1040e96a6212df5fc66b2b44428e1f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 18 Sep 2024 17:06:04 +0100 Subject: [PATCH] feat(abs): add iceauth to X-strict. --- apparmor.d/abstractions/X-strict | 1 + apparmor.d/abstractions/app/firefox | 1 - apparmor.d/groups/akonadi/akonadi_control | 2 -- apparmor.d/groups/freedesktop/polkit-kde-authentication-agent | 2 -- apparmor.d/groups/freedesktop/pulseaudio | 1 - apparmor.d/groups/kde/DiscoverNotifier | 2 -- apparmor.d/groups/kde/gmenudbusmenuproxy | 2 -- apparmor.d/groups/kde/kalendarac | 2 -- apparmor.d/groups/kde/konsole | 2 -- apparmor.d/groups/kde/kwalletd | 2 -- apparmor.d/groups/kde/okular | 1 - apparmor.d/groups/kde/plasmashell | 1 - apparmor.d/groups/kde/xembedsniproxy | 2 -- apparmor.d/groups/kde/xwaylandvideobridge | 2 -- 14 files changed, 1 insertion(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 0998bbb44..6a29d1764 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -24,6 +24,7 @@ owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7eb223b09..55ff461aa 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -105,7 +105,6 @@ owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, @{run}/mount/utab r, diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index f21b968d2..f3b9a0811 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -30,8 +30,6 @@ profile akonadi_control @{exec_path} { owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, owner @{user_share_dirs}/akonadi/{,**} rwl, - - owner @{run}/user/@{uid}/iceauth_@{rand6} r, /dev/tty r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 3a04356f5..821468193 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -47,8 +47,6 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - /dev/shm/#@{int} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 029d7d4ad..e4a563755 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -93,7 +93,6 @@ profile pulseaudio @{exec_path} { owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/** rwk, owner @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 227f4e062..8c0fc8d20 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -59,8 +59,6 @@ profile DiscoverNotifier @{exec_path} { owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw, owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - /dev/tty r, profile gpg { diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index d1e48f849..c1a63931e 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -25,8 +25,6 @@ profile gmenudbusmenuproxy @{exec_path} { owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - include if exists } diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 471812c7c..e6a57f985 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -36,8 +36,6 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index c6cfa9587..28b5d2650 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -80,8 +80,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 2b2545b33..5005dde31 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -43,8 +43,6 @@ profile kwalletd @{exec_path} { owner @{tmp}/kwalletd5.* rw, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 775491bdd..40f9de33e 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -89,7 +89,6 @@ profile okular @{exec_path} { owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f3f37b6fd..e583c26bc 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -189,7 +189,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 57e32b960..a4474a64a 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -20,8 +20,6 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge index f5139eb13..0f6aeb48a 100644 --- a/apparmor.d/groups/kde/xwaylandvideobridge +++ b/apparmor.d/groups/kde/xwaylandvideobridge @@ -20,8 +20,6 @@ profile xwaylandvideobridge @{exec_path} { owner @{user_cache_dirs}/xwaylandvideobridge/ rw, owner @{user_cache_dirs}/xwaylandvideobridge/** rwk, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - include if exists }