feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
e44b0613c7
commit
65d0cfafe4
54 changed files with 169 additions and 107 deletions
|
|
@ -20,7 +20,7 @@ profile deja-dup-monitor @{exec_path} {
|
|||
network netlink raw,
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.DejaDup.Monitor
|
||||
#aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup interface=org.gtk.Actions
|
||||
#aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/authentication>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.Accounts>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability audit_write,
|
||||
|
|
@ -46,16 +45,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={*Session,CreateSessionWithPIDFD}
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
|
||||
interface=org.freedesktop.Accounts.User
|
||||
member=SetLanguage
|
||||
peer=(name=:*, label=accounts-daemon),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/gnome-keyring-daemon rPx,
|
||||
|
|
@ -99,6 +95,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/keyring/control rw,
|
||||
|
||||
@{run}/gdm{3,}/custom.conf r,
|
||||
@{run}/gdm{3,}/dbus/dbus-@{rand8} r,
|
||||
owner @{run}/gdm{3,}/dbus/ w,
|
||||
owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,13 @@ include <tunables/global>
|
|||
profile gnome-clocks @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/common/gnome>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.clocks
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,12 +14,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-write>
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -33,10 +36,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
|
||||
|
||||
dbus bus=accessibility,
|
||||
dbus bus=session,
|
||||
dbus bus=system,
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.Settings
|
||||
|
||||
#aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
|
||||
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
|
||||
#aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
|
||||
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
|
||||
#aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/@{shells} rUx,
|
||||
|
|
|
|||
|
|
@ -21,9 +21,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||
|
||||
/usr/share/pixmaps/{,**} r,
|
||||
|
||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
include if exists <local/gnome-control-center-print-renderer>
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gnome-disk-image-mounter @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/gnome-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -50,10 +50,15 @@ profile gnome-initial-setup @{exec_path} {
|
|||
/etc/security/pwquality.conf.d/{,**} r,
|
||||
/etc/timezone r,
|
||||
|
||||
/etc/gdm{,3}/custom.conf r,
|
||||
|
||||
/var/log/installer/telemetry r, #aa:only ubuntu
|
||||
|
||||
owner @{GDM_HOME}/greeter-dconf-defaults r,
|
||||
|
||||
owner @{user_cache_dirs}/ubuntu-report/ w,
|
||||
owner @{user_cache_dirs}/ubuntu-report/pending w,
|
||||
#aa:only ubuntu
|
||||
owner @{user_cache_dirs}/ubuntu-report/ rw,
|
||||
owner @{user_cache_dirs}/ubuntu-report/* rw,
|
||||
|
||||
owner @{user_config_dirs}/gnome-initial-setup-done w,
|
||||
owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile gnome-remote-desktop-daemon @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
|
|
|
|||
|
|
@ -111,6 +111,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
profile open {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app-launcher-user>
|
||||
|
||||
@{lib}/gio-launch-desktop mr,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
|
||||
|
|
|
|||
|
|
@ -89,6 +89,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
# Talk with gnome-shell
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
|
||||
#aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind
|
||||
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
|
||||
|
||||
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
|
||||
|
|
@ -111,23 +112,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
member={RegisterWithCapabilities,Unregister}
|
||||
peer=(name=:*, label=NetworkManager),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=Can*
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
dbus send bus=system path=/org/freedesktop/login1/user/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
|
||||
|
|
@ -333,16 +317,23 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
@{sys}/class/input/ r,
|
||||
@{sys}/class/net/ r,
|
||||
@{sys}/class/power_supply/ r,
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/devices/@{pci}/input@{int}/{properties,name} r,
|
||||
@{sys}/devices/@{pci}/net/*/statistics/collisions r,
|
||||
@{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
|
||||
@{sys}/devices/**/power_supply/{,**} r,
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/devices/@{pci}/input@{int}/{properties,name} r,
|
||||
@{sys}/devices/@{pci}/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||
@{sys}/devices/platform/**/input@{int}/{properties,name} r,
|
||||
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
|
||||
@{sys}/devices/virtual/net/*/statistics/collisions r,
|
||||
@{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
|
||||
@{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
|
|
@ -360,6 +351,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
|
||||
@{PROC}/vmstat r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -93,6 +93,7 @@ profile gnome-software @{exec_path} {
|
|||
owner @{run}/user/@{uid}/.dbus-proxy/ rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/system-bus-proxy-@{rand6} rw,
|
||||
owner @{run}/user/@{uid}/.flatpak-cache rw,
|
||||
owner @{run}/user/@{uid}/.flatpak/{,**} rwl,
|
||||
owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} {
|
|||
ptrace (read) peer=htop,
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions
|
||||
#aa:dbus own bus=session name=org.gnome.Terminal
|
||||
|
||||
dbus receive bus=session path=/org/gnome/Terminal/SearchProvider
|
||||
interface=org.gnome.Shell.SearchProvider2
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile goa-daemon @{exec_path} {
|
|||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -28,6 +28,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/ r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
|
||||
|
|
@ -35,6 +37,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# mqueue r type=posix /,
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.Nautilus
|
||||
#aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions}
|
||||
#aa:dbus own bus=session name=org.freedesktop.FileManager1
|
||||
|
||||
#aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
|
||||
|
|
|
|||
|
|
@ -47,7 +47,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
|
||||
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/ladspa/rdf/{,**} r,
|
||||
/usr/share/osinfo/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
/usr/share/tracker3-miners/{,**} r,
|
||||
/usr/share/tracker3/{,**} r,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue