From 6c46d0a103c0cd9035a208644e4a8aabc1e83ccb Mon Sep 17 00:00:00 2001 From: nobodysu Date: Thu, 6 Oct 2022 01:47:19 +0300 Subject: [PATCH] pre-cleanup --- apparmor.d/groups/apt/apt | 4 ++-- apparmor.d/groups/avahi/avahi-daemon | 2 +- apparmor.d/groups/bus/dbus-daemon | 22 +++++++++---------- apparmor.d/groups/bus/dbus-run-session | 6 ++--- apparmor.d/groups/bus/ibus-extension-gtk3 | 6 +---- apparmor.d/groups/bus/ibus-x11 | 6 +++-- .../groups/freedesktop/pipewire-media-session | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 6 +---- apparmor.d/groups/freedesktop/xorg | 18 +++++++-------- apparmor.d/groups/gnome/gdm | 6 ++--- apparmor.d/groups/gnome/gdm-xsession | 2 +- .../gnome/gnome-control-center-print-renderer | 6 +---- apparmor.d/groups/gnome/gnome-session-binary | 6 +---- apparmor.d/groups/gnome/gnome-session-ctl | 7 +----- apparmor.d/groups/gnome/gnome-shell | 6 +---- apparmor.d/groups/gnome/gsd-color | 6 +---- apparmor.d/groups/gnome/gsd-keyboard | 6 +---- apparmor.d/groups/gnome/gsd-power | 6 +---- apparmor.d/groups/gnome/gsd-wacom | 6 +---- apparmor.d/groups/gnome/tracker-extract | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/gvfs/gvfsd | 2 +- apparmor.d/groups/systemd/systemd-resolved | 2 +- apparmor.d/groups/systemd/systemd-sleep | 8 +------ apparmor.d/groups/ubuntu/release-upgrade-motd | 2 +- apparmor.d/profiles-s-z/setpriv | 16 +------------- apparmor.d/profiles-s-z/spice-vdagent | 6 +---- apparmor.d/profiles-s-z/udisksd | 2 +- 28 files changed, 54 insertions(+), 117 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 15f8a1325..a4b243205 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -155,7 +155,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, - profile editor { + profile editor flags=(complain) { include include @@ -197,7 +197,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { } - profile dpkg-source { + profile dpkg-source flags=(complain) { include include include diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon index 89703b5ab..f49e33a20 100644 --- a/apparmor.d/groups/avahi/avahi-daemon +++ b/apparmor.d/groups/avahi/avahi-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/avahi-daemon -profile avahi-daemon @{exec_path} { +profile avahi-daemon @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 385152a85..f72ff9b37 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/dbus-daemon -profile dbus-daemon @{exec_path} flags=(attach_disconnected complain) { +profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include include @@ -21,18 +21,18 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected complain) { capability setuid, capability sys_resource, -# signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, -# signal (receive) set=(term hup kill) peer=dbus-run-session, -# signal (receive) set=(term hup kill) peer=gdm*, -# signal (send) set=(term hup kill) peer=at-spi-bus-launcher, -# signal (send) set=(term hup kill) peer=at-spi2-registryd, -# signal (send) set=(term hup kill) peer=dconf-service, -# signal (send) set=(term hup kill) peer=xdg-permission-store, + signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, + signal (receive) set=(term hup kill) peer=dbus-run-session, + signal (receive) set=(term hup kill) peer=gdm*, + signal (send) set=(term hup kill) peer=at-spi-bus-launcher, + signal (send) set=(term hup kill) peer=at-spi2-registryd, + signal (send) set=(term hup kill) peer=dconf-service, + signal (send) set=(term hup kill) peer=xdg-permission-store, -# network netlink raw, + network netlink raw, -# network bluetooth stream, -# network bluetooth seqpacket, + network bluetooth stream, + network bluetooth seqpacket, ptrace (read), diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 97093592e..c353e9575 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -12,14 +12,14 @@ profile dbus-run-session @{exec_path} { include signal (receive) set=(term, kill, hup) peer=gdm*, - signal (send) set=term peer=dbus-daemon, + signal (send) set=term peer=dbus-daemon, @{exec_path} mr, - /{usr/,}bin/gnome-session rix, - /{usr/,}bin/gsettings rix, /{usr/,}bin/dbus-daemon rPx, + /{usr/,}bin/gnome-session rix, /{usr/,}bin/gnome-shell rPx, + /{usr/,}bin/gsettings rix, @{libexec}/gnome-session-binary rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index ff67d01a0..3d9f42fca 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -11,6 +11,7 @@ include profile ibus-extension-gtk3 @{exec_path} { include include + include include include include @@ -26,11 +27,6 @@ profile ibus-extension-gtk3 @{exec_path} { network inet6 stream, network netlink raw, - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,RequestName,ReleaseName,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 7ea427c4e..5d37385c2 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -48,10 +48,12 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, + /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index c52bc5f34..8876c138c 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire-media-session -profile pipewire-media-session @{exec_path} flags=(complain ) { +profile pipewire-media-session @{exec_path} { include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 690515ae0..70afe9b0e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -12,6 +12,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include + include include include include @@ -28,11 +29,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 55e84ac2d..144dd1088 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -11,7 +11,7 @@ include @{exec_path} += /{usr/,}bin/Xorg @{exec_path} += /{usr/,}lib/Xorg{,.wrap} @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} -profile xorg @{exec_path} flags=(attach_disconnected complain) { +profile xorg @{exec_path} flags=(attach_disconnected) { include include include @@ -32,17 +32,17 @@ profile xorg @{exec_path} flags=(attach_disconnected complain) { # deny capability sys_nice, #capability sys_tty_config, -# signal (send) set=(usr1), + signal (send) set=(usr1), -# signal (receive) peer=lightdm, -# signal (receive) peer=sddm, -# signal (receive) peer=xinit, -# signal (receive) set=term peer=gdm{,-x-session}, + signal (receive) peer=lightdm, + signal (receive) peer=sddm, + signal (receive) peer=xinit, + signal (receive) set=term peer=gdm{,-x-session}, -# unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*, -# unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers + unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*, + unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers -# network netlink raw, + network netlink raw, dbus send bus=system path=/org/freedesktop/login[0-9]{,/session/*} interface=org.freedesktop.{DBus.Properties,login[0-9].Session,login[0-9]*.Manager} diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index d642d5802..721afb844 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -65,11 +65,11 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}{s,}prime-switch rPUx, + /{usr/,}{s,}bin/prime-switch rPUx, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/plymouth rPUx, + /{usr/,}bin/plymouth rPx, /etc/gdm{3,}/PrimeOff/Default rix, - @{libexec}/gdm-session-worker rPUx, + @{libexec}/gdm-session-worker rPx, /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index f9a1c94e5..1f7e336eb 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -56,7 +56,7 @@ profile gdm-xsession @{exec_path} { # file_inherit /dev/tty[0-9]* rw, - profile dbus flags=(complain) { + profile dbus { include /{usr/,}bin/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 28a2f0321..2221d06f5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -10,6 +10,7 @@ include profile gnome-control-center-print-renderer @{exec_path} { include include + include include include include @@ -20,11 +21,6 @@ profile gnome-control-center-print-renderer @{exec_path} { include include - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=GetAddress diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index e10208589..0a3310d01 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -11,6 +11,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -35,11 +36,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName,UpdateActivationEnvironment,GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus label=dbus-daemon), - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={CanPowerOff,GetSession,PowerOff,Inhibit,Reboot} diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 608c00245..221ca00e0 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -9,11 +9,7 @@ include @{exec_path} = @{libexec}/gnome-session-ctl profile gnome-session-ctl @{exec_path} { include - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus, label=dbus-daemon), + include dbus send bus=session path=/org/freedesktop/systemd[0-9]* interface=org.freedesktop.systemd[0-9]*.Manager @@ -29,7 +25,6 @@ profile gnome-session-ctl @{exec_path} { @{exec_path} mr, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gnome-session-leader-fifo r, @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e875a59e1..ed54a7094 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -14,6 +14,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -48,11 +49,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=xwayland), unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames peer=(name=org.freedesktop.DBus label=dbus-daemon), diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index eac978521..db2fbd336 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -11,6 +11,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -18,11 +19,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index e9c409367..21dbae623 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -11,6 +11,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -18,11 +19,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f9a721eaf..f0b796caf 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -12,6 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -21,11 +22,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index a6d386c91..ee545b608 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -11,6 +11,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -18,11 +19,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 7ab9958ce..308ddf3f4 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/tracker-extract-3 -profile tracker-extract @{exec_path} flags=(complain) { +profile tracker-extract @{exec_path} { include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 3a7273b66..71ceb0723 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 -profile tracker-miner @{exec_path} flags=(attach_disconnected complain) { +profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 1857d56b1..76bb346f0 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -15,7 +15,7 @@ profile gvfsd @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=RequestName + member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=session path=/org/gtk/vfs/mounttracker diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 300ba5425..6a56b59ea 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -39,7 +39,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9]* interface=org.freedesktop.login[0-9]*.Manager - member=PrepareForSleep + member={PrepareForSleep,PrepareForShutdown} peer=(name=:*, label=systemd-logind), dbus bind bus=system diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index ce5940d38..f32b0a908 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -10,19 +10,13 @@ include profile systemd-sleep @{exec_path} { include include + include include capability net_admin, capability sys_admin, capability sys_resource, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - @{run}/dbus/system_bus_socket rw, - @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index a17da1532..6a113965a 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd -profile release-upgrade-motd @{exec_path} flags=(complain) { +profile release-upgrade-motd @{exec_path} { include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/setpriv b/apparmor.d/profiles-s-z/setpriv index d6c62f969..9621c284c 100644 --- a/apparmor.d/profiles-s-z/setpriv +++ b/apparmor.d/profiles-s-z/setpriv @@ -7,28 +7,14 @@ abi , include @{exec_path} = /{usr/,}bin/setpriv -profile setpriv @{exec_path} flags=(complain) { +profile setpriv @{exec_path} { include include - capability setuid, - capability setgid, - @{exec_path} mr, /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}{s,}bin/[a-z0-9]* rPUx, - /etc/gdm{3,}/greeter.dconf-defaults r, - - /usr/share/gdm/dconf/{,**} r, - - /var/lib/gdm{3,}/ r, - /var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw, - - @{PROC}/uptime r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/@{pids}/cmdline r, - include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index d78d57420..0402b79c3 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,15 +11,11 @@ profile spice-vdagent @{exec_path} { include include include + include include include include - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=GetCurrentState diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 72252d20f..207a6fb21 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -66,7 +66,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9]* interface=org.freedesktop.login[0-9]*.Manager - member=PrepareForSleep + member={PrepareForSleep,PrepareForShutdown} peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority