felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): add some missing dbus, MOUNTS and dconf rules.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-13 21:38:14 +01:00
parent 50a18aac08
commit 6898bac12f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
14 changed files with 20 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/gnome/gdm-x-session
View file

@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{libexec}/gdm-x-session
profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
signal (receive) set=term peer=gdm{,-session-worker},
# signal (send) set=term peer=unconfined,

2
apparmor.d/groups/gnome/gnome-control-center-print-renderer
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-control-center-print-renderer
profile gnome-control-center-print-renderer @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
@ -34,6 +35,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
owner @{user_share_dirs}/icons/{,**} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,

2
apparmor.d/groups/gnome/gnome-disk-image-mounter
View file

@ -21,7 +21,7 @@ profile gnome-disk-image-mounter @{exec_path} {
# Allow to mount user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/*/{,**} r,
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/groups/gnome/gnome-music
View file

@ -39,7 +39,7 @@ profile gnome-music @{exec_path} {
/etc/machine-id r,
owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r,
owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r,
owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r,
owner @{user_cache_dirs}/gnome-music/{,**} rwk,
owner @{user_cache_dirs}/media-art/album-*.jpeg rw,

2
apparmor.d/groups/gnome/gnome-photos-thumbnailer
View file

@ -16,7 +16,7 @@ profile gnome-photos-thumbnailer @{exec_path} {
/usr/share/mime/mime.cache r,
owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r,
owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r,
owner @{user_cache_dirs}/babl/{,**} r,
owner @{user_cache_dirs}/gegl-*/{,**} r,

1
apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
View file

@ -14,7 +14,6 @@ profile gnome-shell-hotplug-sniffer @{exec_path} {
/usr/share/mime/mime.cache r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/**/ r,
owner @{MOUNTS}/** r,

5
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -9,7 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-system-monitor
profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/gnome>
include <abstractions/nameservice-strict>
@ -35,8 +36,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/doc/ rw,
@{run}/systemd/sessions/* r,

2
apparmor.d/groups/gnome/tracker-extract
View file

@ -40,7 +40,7 @@ profile tracker-extract @{exec_path} {
# Allow to search user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/*/{,**} r,
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner /tmp/tracker-extract-3-files.*/{,*} rw,

2
apparmor.d/groups/gnome/tracker-miner
View file

@ -44,7 +44,7 @@ profile tracker-miner @{exec_path} {
# Allow to search user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/*/{,**} r,
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{user_config_dirs}/tracker3/{,**} rwk,