Unbreak Debian 11 and partially Ubuntu 22.04 (Wayland+GDM+Gnome) (#81)
* Unbreaking Debian 11 and partially Ubuntu 22.04 * pre-cleanup * pre-cleanup2 * Update im-launch * Update gnome-extension-ding * polishing * not yet * Update ubuntu.flags Allow GDM to boot. `No new privs` fix. * Update debian.flags Allow GDM to boot. `No new privs` fix. * Update CONTRIBUTING.md * fixes * reverting w * move setpriv to main.flags
This commit is contained in:
nobodysu
GitHub
parent
bdcaa040fe
commit
643a84997e
110 changed files with 3157 additions and 182 deletions
|
|
@ -44,15 +44,22 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/language-tools/language-validate rPx,
|
||||
/{usr/,}bin/cat rix,
|
||||
|
||||
/{usr/,}{s,}bin/adduser rPx,
|
||||
/{usr/,}{s,}bin/usermod rPx,
|
||||
/{usr/,}{s,}bin/userdel rPx,
|
||||
/{usr/,}bin/passwd rPx,
|
||||
/{usr/,}bin/chage rPx,
|
||||
/usr/share/language-tools/language-validate rPx,
|
||||
|
||||
/usr/share/accountsservice/{,**} r,
|
||||
/usr/share/dbus-1/interfaces/*.xml r,
|
||||
|
||||
/etc/default/locale r,
|
||||
/etc/gdm{3,}/ r,
|
||||
/etc/gdm{3,}/custom.conf rw,
|
||||
/etc/gdm{3,}/custom.conf.* rw,
|
||||
/etc/gdm{3,}/daemon.conf{,.??????} rw,
|
||||
/etc/gdm{3,}/custom.conf{,.??????} rw,
|
||||
/etc/machine-id r,
|
||||
/etc/shadow r,
|
||||
/etc/shells r,
|
||||
|
|
@ -62,10 +69,18 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{HOME}/ r,
|
||||
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
@{PROC}/@{pids}/loginuid r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
# wtmp.d ?
|
||||
/var/log/wtmp r,
|
||||
|
||||
owner /tmp/gnome-control-center-user-icon-?????? rw,
|
||||
|
||||
include if exists <local/accounts-daemon>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term hup kill) peer=gnome-session-binary,
|
||||
signal (send) set=(term hup kill) peer=dbus-daemon,
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
|
|
@ -39,6 +41,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/var/lib/lightdm/.Xauthority r,
|
||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
/var/log/lightdm/seat[0-9]*-greeter.log w,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,9 +12,74 @@ include <tunables/global>
|
|||
profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
signal (receive) set=(term hup kill) peer=dbus-daemon,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=accessibility path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member=RegisterClient
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={ClientAdded,ClientRemoved,SessionRunning}
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Set
|
||||
peer=(name=:*, label="{gnome-extension-ding,gnome-control-center}"),
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=:*, label="{gnome-extension-ding,gnome-control-center,spice-vdagent}"),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=EventListenerDeregistered
|
||||
peer=(name=org.freedesktop.DBus), # all peer's labels
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=:*, label=gnome-control-center),
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=:*, label="{gnome-control-center,xdg-desktop-portal-*}"),
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=accessibility
|
||||
name=org.a11y.atspi.Registry,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,20 +17,32 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,ColorManager*},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
|
||||
interface=org.freedesktop.ColorManager*,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=CheckAuthorization,
|
||||
member=CheckAuthorization
|
||||
peer=(name=:*, label=polkitd),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=Changed
|
||||
peer=(name=:*, label=polkitd),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label="{gsd-color,polkitd}"),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/ColorManager{,/devices/*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label="{gsd-color,colord-sane,gnome-control-center}"),
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.ColorManager,
|
||||
|
|
|
|||
|
|
@ -12,13 +12,19 @@ profile dconf @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dconf-write>
|
||||
|
||||
capability sys_nice,
|
||||
capability dac_override,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/dconf/db/** rw,
|
||||
|
||||
/usr/share/gdm/dconf/{,**} r,
|
||||
|
||||
/var/lib/gdm{3,}/ r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw,
|
||||
|
||||
owner @{user_config_dirs}/dconf/ rw,
|
||||
owner @{user_config_dirs}/dconf/user{,.*} rw,
|
||||
|
||||
include if exists <local/dconf>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,6 +15,29 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) set=(term kill hup) peer=dbus-daemon,
|
||||
signal (receive) set=(term hup) peer=gdm*,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/ca/desrt/dconf/Writer/user
|
||||
interface=ca.desrt.dconf.Writer
|
||||
member=Notify
|
||||
peer=(name=org.freedesktop.DBus), # all peer's labels
|
||||
|
||||
dbus receive bus=session path=/ca/desrt/dconf/Writer/user
|
||||
interface=ca.desrt.dconf.Writer
|
||||
member=Change
|
||||
peer=(name=:*, label=gnome-control-center),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=ca.desrt.dconf,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{user_config_dirs}/dconf/ rw,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/geoclue
|
||||
profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
|
@ -45,9 +47,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.Avahi.Server
|
||||
member=StateChanged,
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={AllForNow,CacheExhausted},
|
||||
member={AllForNow,CacheExhausted}
|
||||
peer=(name=:*, label=avahi-daemon),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
|
|
@ -69,4 +72,4 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pids}/cgroup r,
|
||||
|
||||
include if exists <local/geoclue>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,6 +19,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixProcessID
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
|
||||
interface=org.freedesktop.RealtimeKit[0-9]
|
||||
member=MakeThread*
|
||||
|
|
@ -29,6 +34,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
|
|||
member=Get
|
||||
peer=(name=org.freedesktop.RealtimeKit[0-9]),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/pactl rPx,
|
||||
|
|
|
|||
|
|
@ -31,6 +31,11 @@ profile pipewire-media-session @{exec_path} {
|
|||
member=MakeThreadRealtime
|
||||
peer=(name=org.freedesktop.RealtimeKit1),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/alsa-card-profile/{,**} r,
|
||||
|
|
|
|||
|
|
@ -109,7 +109,7 @@ profile pulseaudio @{exec_path} {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}@{libexec}/pulse/gsettings-helper mrix,
|
||||
@{libexec}/pulse/gsettings-helper mrix,
|
||||
/{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
|
||||
/{usr/,}lib/pulse-*/modules/*.so mr,
|
||||
|
||||
|
|
@ -138,7 +138,9 @@ profile pulseaudio @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/pulse/{,**} rw,
|
||||
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
|
||||
/var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
|
||||
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/ rw,
|
||||
owner @{run}/user/@{uid}/pulse/{,*} rw,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,UPower*},
|
||||
|
||||
|
|
@ -27,14 +32,10 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.login[0-9].Manager
|
||||
member=Inhibit,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=RequestName
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login[0-9]
|
||||
interface=org.freedesktop.login[0-9].Manager
|
||||
member={SessionNew,SessionRemoved,PrepareForShutdown},
|
||||
member={UserNew,UserRemoved,SessionNew,SessionRemoved,PrepareForShutdown,PrepareForSleep}
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.UPower,
|
||||
|
|
|
|||
|
|
@ -22,6 +22,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName,GetConnectionUnixProcessID}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
|
@ -42,6 +47,59 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label="{gnome-shell,xdg-desktop-portal-*,gnome-keyring-daemon}"),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Background
|
||||
member=GetAppState
|
||||
peer=(name=:*, label=xdg-desktop-portal-*),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Background
|
||||
member=RunningApplicationsChanged
|
||||
peer=(name=:*, label=xdg-desktop-portal-*),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=SettingChanged
|
||||
peer=(name=org.freedesktop.DBus), # all peer's labels
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Settings
|
||||
member=SettingChanged
|
||||
peer=(name=:*, label=xdg-desktop-portal-*),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.portal.Documents
|
||||
member=GetMountPoint
|
||||
peer=(name=:*, label=xdg-document-portal),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,PropertiesChanged}
|
||||
peer=(name=:*, label=xdg-document-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=xdg-permission-store),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.impl.portal.PermissionStore
|
||||
member=Lookup
|
||||
peer=(name=:*, label=xdg-permission-store),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.portal.Desktop,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
@ -74,4 +132,4 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
include if exists <local/xdg-desktop-portal>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,11 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
include <abstractions/user-read>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
|
@ -32,6 +37,79 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
interface=org.freedesktop.Accounts.User
|
||||
member=Changed,
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell/Screenshot
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.gnome.Shell.Introspect
|
||||
member=GetRunningApplications
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.gnome.Shell.Introspect
|
||||
member={RunningApplicationsChanged,WindowsChanged}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Background
|
||||
member=RunningApplicationsChanged
|
||||
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Background
|
||||
member=GetAppState
|
||||
peer=(name=:*, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Settings
|
||||
member=SettingChanged
|
||||
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
|
||||
interface=org.gnome.Mutter.DisplayConfig
|
||||
member=GetCurrentState
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
|
||||
interface=org.gnome.Mutter.DisplayConfig
|
||||
member=GetCurrentState
|
||||
peer=(name=:*, label=gsd-xsettings),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Mutter/ScreenCast
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Mutter/RemoteDesktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.impl.portal.desktop.gnome,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
|
@ -48,4 +126,4 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
include if exists <local/xdg-desktop-portal-gnome>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,8 +9,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
|
||||
profile xdg-desktop-portal-gtk @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
|
|
@ -20,6 +22,13 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
include <abstractions/user-download>
|
||||
include <abstractions/user-write>
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
|
@ -40,6 +49,104 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus send bus=session path=/org/gtk/Settings
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gsd-xsettings),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member=RegisterClient
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
member={ClientAdded,ClientRemoved,SessionRunning}
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager{,/Client[0-9]*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager/Client[0-9]*
|
||||
interface=org.gnome.SessionManager.ClientPrivate
|
||||
member=EndSessionResponse
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/SessionManager/Client[0-9]*
|
||||
interface=org.gnome.SessionManager.ClientPrivate
|
||||
member={EndSession,QueryEndSession,CancelEndSession,Stop}
|
||||
peer=(name=:*, label=gnome-session-binary),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.gnome.Shell.Introspect
|
||||
member={RunningApplicationsChanged,WindowsChanged}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
|
||||
interface=org.a11y.atspi.DeviceEventController
|
||||
member={GetKeystrokeListeners,GetDeviceEventListeners}
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=GetRegisteredEvents
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus receive bus=accessibility path=/org/a11y/atspi/registry
|
||||
interface=org.a11y.atspi.Registry
|
||||
member=EventListenerDeregistered
|
||||
peer=(name=:*, label=at-spi2-registryd),
|
||||
|
||||
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry), # all peer's labels
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
member=GetAddress
|
||||
peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),
|
||||
|
||||
dbus send bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=ListMountableInfo
|
||||
peer=(name=:*, label=gvfsd),
|
||||
|
||||
dbus send bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gjs-console),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell/Introspect
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/gnome/ScreenSaver
|
||||
interface=org.gnome.ScreenSaver
|
||||
member=ActiveChanged
|
||||
peer=(name=:*, label=gjs-console),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.impl.portal.Settings
|
||||
member=SettingChanged
|
||||
peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=xdg-desktop-portal),
|
||||
|
||||
dbus send bus=session path=/org/gtk/Notifications
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.impl.portal.desktop.gtk,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
|
@ -58,4 +165,4 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
include if exists <local/xdg-desktop-portal-gtk>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,14 +7,48 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/xdg-document-portal
|
||||
profile xdg-document-portal @{exec_path} {
|
||||
profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
capability sys_nice,
|
||||
capability sys_resource,
|
||||
# capability sys_admin,
|
||||
|
||||
ptrace (read) peer=xdg-desktop-portal,
|
||||
|
||||
signal (receive) set=(term) peer=gdm,
|
||||
|
||||
unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=xdg-permission-store),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.portal.Documents
|
||||
member=GetMountPoint
|
||||
peer=(name=:*, label="{snap,xdg-desktop-portal}"),
|
||||
|
||||
dbus receive bus=session path={/,/org}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/portal/documents
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=xdg-desktop-portal),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.portal.Documents,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/flatpak rCx -> flatpak,
|
||||
|
|
@ -33,6 +67,9 @@ profile xdg-document-portal @{exec_path} {
|
|||
|
||||
/dev/fuse rw,
|
||||
|
||||
# file inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
profile flatpak {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
@ -50,6 +87,8 @@ profile xdg-document-portal @{exec_path} {
|
|||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/xdg-document-portal_flatpak>
|
||||
}
|
||||
|
||||
profile fusermount {
|
||||
|
|
@ -76,8 +115,12 @@ profile xdg-document-portal @{exec_path} {
|
|||
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
||||
owner @{run}/user/@{uid}/doc/ rw,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
include if exists <local/xdg-document-portal_fusermount>
|
||||
}
|
||||
|
||||
include if exists <local/xdg-document-portal>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,9 +11,39 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
capability sys_nice,
|
||||
|
||||
signal (receive) set=(term hup kill) peer=dbus-daemon,
|
||||
signal (receive) set=(term hup kill) peer=gdm*,
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label="{gnome-shell,xdg-document-portal}"),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.impl.portal.PermissionStore
|
||||
member=Lookup
|
||||
peer=(name=:*, label="{gnome-shell,xdg-desktop-portal}"),
|
||||
|
||||
dbus receive bus=session path={/,/org}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus receive bus=session path=/org/freedesktop/impl/portal/PermissionStore
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=xdg-desktop-portal),
|
||||
|
||||
dbus bind bus=session
|
||||
name=org.freedesktop.impl.portal.PermissionStore,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
|
||||
|
|
@ -21,8 +51,9 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/flatpak/db/ rw,
|
||||
owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
|
||||
owner @{user_share_dirs}/flatpak/db/background rw,
|
||||
owner @{user_share_dirs}/flatpak/db/notifications rw,
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/xdg-permission-store>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,11 +11,15 @@ profile xhost @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
/tmp/.X11-unix/* rw,
|
||||
|
||||
# file_inherit
|
||||
/dev/tty[0-9]* rw,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
|
|||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
|
||||
unix (send,receive) type=stream addr=none peer=(label=xwayland),
|
||||
unix (send,receive) type=stream addr=@/tmp/.X11-unix/X[0-9]* peer=(label=gsd-xsettings),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,12 +39,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
signal (receive) peer=xinit,
|
||||
signal (receive) set=term peer=gdm{,-x-session},
|
||||
|
||||
unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*,
|
||||
unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers
|
||||
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*}
|
||||
interface=org.freedesktop.{DBus.Properties,login1.Session}
|
||||
dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*}
|
||||
interface=org.freedesktop.{DBus.Properties,login[0-9].Session,login[0-9]*.Manager}
|
||||
member={ReleaseControl,TakeControl,TakeDevice,ReleaseDevice,GetSessionByPID}
|
||||
peer=(name=org.freedesktop.login[0-9]),
|
||||
peer=(name=org.freedesktop.login[0-9], label=systemd-logind),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login[0-9]/session/*
|
||||
interface=org.freedesktop.login1.Session
|
||||
|
|
@ -79,8 +82,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
|
|||
owner /var/log/Xorg.[0-9].log{,.old} rw,
|
||||
owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,
|
||||
|
||||
/var/lib/gdm{3,}/.local/share/xorg/ rw,
|
||||
/var/lib/gdm{3,}/.local/share/xorg/Xorg.[0-9].log{,.old} rw,
|
||||
/var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
|
||||
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||
|
||||
@{run}/nvidia-xdriver-* rw,
|
||||
@{run}/sddm/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -31,8 +31,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/fonts/X11/{,**} r,
|
||||
/usr/share/X11/xkb/rules/evdev r,
|
||||
|
||||
owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
|
||||
|
||||
owner /tmp/server-[0-9]*.xkm rwk,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
|
||||
owner @{run}/user/@{uid}/xwayland-shared-?????? rw,
|
||||
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue