feat(profile): use the new audio-client abs in profiles.

2024-03-12 15:44:40 +00:00 · 2024-03-12 15:44:40 +00:00 · 81b9de3aff
commit 81b9de3aff
parent e4c0f683d2
11 changed files with 53 additions and 154 deletions
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@ -9,12 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/mozilla/kmozillahelper
 profile firefox-kmozillahelper @{exec_path} {
  include <abstractions/base>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/audio-client>
+  include <abstractions/desktop>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-settings-write>
-  include <abstractions/qt5>
  include <abstractions/recent-documents-write>
  include <abstractions/thumbnails-cache-read>

@ -29,10 +28,7 @@ profile firefox-kmozillahelper @{exec_path} {
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/knotifications{5,6}/*.notifyrc r,
  /usr/share/kservices{5,6}/{,**} r,
-  /usr/share/sounds/{,**} r,

-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,*} r,
  /etc/xdg/kdeglobals r,
  /etc/xdg/kwinrc r,
  /etc/xdg/menus/ r,
@ -51,10 +47,8 @@ profile firefox-kmozillahelper @{exec_path} {
  owner @{user_config_dirs}/kmozillahelperrc r,
  owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
  owner @{user_config_dirs}/kwinrc r,
-  owner @{user_config_dirs}/pulse/cookie rk,

  owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl,
-  owner @{run}/user/@{uid}/pulse/ r,
  owner @{run}/user/@{uid}/xauth_@{rand6} rl,

  @{run}/udev/data/+usb:* r,              # For /dev/bus/usb/**
--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/kalendarac
 profile kalendarac @{exec_path} {
  include <abstractions/base>
+  include <abstractions/audio-client>
  include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
  include <abstractions/kde-strict>
+  include <abstractions/nameservice-strict>

  @{exec_path} mr,

@ -20,11 +21,8 @@ profile kalendarac @{exec_path} {
  /usr/share/akonadi/firstrun/{,*} r,
  /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
  /usr/share/knotifications{5,6}/{,**} r,
-  /usr/share/sounds/{,**} r,

  /etc/machine-id r,
-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,**} r,

  owner @{user_cache_dirs}/icon-cache.kcache rw,

@ -37,9 +35,6 @@ profile kalendarac @{exec_path} {
  owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
  owner @{user_config_dirs}/kalendaracrc.lock rwk,
  owner @{user_config_dirs}/kmail2rc r,
-  owner @{user_config_dirs}/pulse/cookie rk,
-
-  owner @{run}/user/@{uid}/pulse/ r,

  @{PROC}/sys/kernel/core_pattern r,

--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/plasma-discover
 profile plasma-discover @{exec_path} {
  include <abstractions/base>
+  include <abstractions/audio-client>
  include <abstractions/dconf-write>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
@ -46,7 +47,6 @@ profile plasma-discover @{exec_path} {
  /usr/share/kservices{5,6}/{,*} r,
  /usr/share/kservicetypes5/{,*} r,
  /usr/share/libdiscover/** r,
-  /usr/share/qt/translations/*.qm r,

  /etc/appstream.conf r,
  /etc/flatpak/remotes.d/{,**} r,
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -10,6 +10,7 @@ include <tunables/global>
 profile apport-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
@ -54,11 +55,8 @@ profile apport-gtk @{exec_path} {
  @{lib}/@{multiarch}/ld*.so*   rix,
  /usr/share/apport/root_info_wrapper rix,

-  /usr/share/alsa/{,**} r,
  /usr/share/apport/{,**} r,
  /usr/share/apport/general-hooks/*.py r,
-  /usr/share/themes/{,**} r,
-  /usr/share/X11/xkb/{,**} r,

  /etc/apport/{,**} r,
  /etc/bash_completion.d/apport_completion r,
@ -67,8 +65,6 @@ profile apport-gtk @{exec_path} {
  /etc/gtk-3.0/settings.ini r,
  /etc/init.d/apport r,
  /etc/logrotate.d/apport r,
-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,**} r,
  /etc/xdg/autostart/*.desktop r,

  /var/crash/{,*.@{uid}.crash} rw,
@ -78,10 +74,7 @@ profile apport-gtk @{exec_path} {
  /var/lib/dpkg/info/*.md5sums r,
  /var/log/installer/media-info r,

-  owner @{user_config_dirs}/pulse/cookie rk,
-
-        @{run}/snapd.socket rw,
-  owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw,
+   @{run}/snapd.socket rw,

  /tmp/[a-z0-9]* rw,
  /tmp/apport_core_* rw,
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -10,6 +10,7 @@ include <tunables/global>
 profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -59,8 +60,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  /usr/share/update-manager/{,**} r,

  /etc/gtk-3.0/settings.ini r,
-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,**} r,
  /etc/ubuntu-advantage/uaclient.conf r,
  /etc/update-manager/{,**} r,

@ -74,11 +73,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {

  owner @{user_cache_dirs}/update-manager-core/{,**} rw,

-  owner @{user_config_dirs}/pulse/cookie rk,
-
-  owner @{run}/user/@{uid}/pulse/ r,
-  owner @{run}/user/@{uid}/pulse/native rw,
-
  @{run}/systemd/inhibit/*.ref w,

        @{PROC}/@{pids}/mountinfo r,
@ -86,7 +80,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/mounts r,

  /dev/ptmx rw,
-  /dev/shm/ r,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,