Update profile from #25 (2).

2022-02-09 19:35:18 +00:00 · 2022-02-09 19:35:18 +00:00 · 810985a0cd
commit 810985a0cd
parent 2f77653cba
38 changed files with 103 additions and 37 deletions
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -24,7 +24,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /{usr/,}lib/gdm-session-worker rPx,
+  /{usr/,}bin/plymouth            rPUx,
+  /{usr/,}lib/gdm-session-worker  rPx,

  /usr/share/gdm/gdm.schemas r,
  /usr/share/wayland-sessions/*.desktop r,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -22,6 +22,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  capability setgid,
  capability setuid,
  capability sys_nice,
+  capability sys_resource,
  capability sys_tty_config,

  signal (receive) set=term peer=gdm,
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -33,8 +33,9 @@ profile gdm-wayland-session @{exec_path} {
  /{usr/,}bin/flatpak             rPUx,
  /{usr/,}lib/gnome-session-binary rPx,

-  /etc/shells r,
  /etc/gdm/custom.conf r,
+  /etc/machine-id r,
+  /etc/shells r,

  /usr/share/gdm/gdm.schemas r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -25,6 +25,9 @@ profile gnome-control-center-print-renderer @{exec_path} {
  /usr/share/pixmaps/{,**} r,
  /usr/share/X11/xkb/** r,

+  /var/lib/flatpak/exports/share/icons/{,**} r,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
+
  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
  owner @{user_share_dirs}/icons/{,**} r,

--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -34,15 +34,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/aa-notify                                    rPx,
  /{usr/,}bin/blueman-applet                               rPx,
+  /{usr/,}bin/firewall-applet                             rPUx,
  /{usr/,}bin/gnome-keyring-daemon                         rPx,
  /{usr/,}bin/gnome-shell                                  rPx,
+  /{usr/,}bin/pkcs11-register                              rPx,
+  /{usr/,}bin/start-pulseaudio-x11                         rPx,
  /{usr/,}bin/xbrlapi                                      rPx,
  /{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
  /{usr/,}lib/gsd-*                                        rPx,

-  /{usr/,}bin/pkcs11-register                              rPx,
-  /{usr/,}bin/start-pulseaudio-x11                         rPx,
-
  /usr/share/applications/org.gnome.Shell.desktop r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -68,7 +68,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
  /var/lib/gdm/.config/pulse/ r,
  /var/lib/gdm/.config/pulse/client.conf r,
-  /var/lib/gdm/.config/pulse/cookie rw,
+  /var/lib/gdm/.config/pulse/cookie rwk,
  /var/lib/gdm/.local/share/applications/{,**} r,
  /var/lib/gdm/.local/share/gnome-shell/ rw,

@ -106,6 +106,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,

+  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
+  /var/lib/flatpak/exports/share/gnome-shell/{,**} r,
+
  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat[0-9]* r,
  @{run}/systemd/sessions/ r,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -30,6 +30,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/pixmaps/{,**} r,

+  /etc/machine-id r,
+
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include <abstractions/dconf>
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -25,6 +25,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {

  /var/lib/gdm/.local/share/icc/ rw,
  /var/lib/gdm/.local/share/icc/edid-*.icc rw,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,

  owner @{run}/user/@{uid}/gdm/Xauthority r,

--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -20,6 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /{usr/,}lib/gsd-printer rPx,

+  /etc/machine-id r,
+
  owner @{PROC}/@{pid}/fd/ r,

  owner /dev/tty[0-9]* rw,