feat(profile): general update.

2023-11-26 21:24:40 +00:00 · 2023-11-26 21:24:40 +00:00 · 8250e202a0
commit 8250e202a0
parent 4b61abf7ce
37 changed files with 67 additions and 53 deletions
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -15,8 +15,9 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>

-  signal (receive) set=(term hup)      peer=gdm*,
+  signal (receive) set=(term hup kill) peer=@{systemd},
  signal (receive) set=(term hup kill) peer=dbus-daemon,
+  signal (receive) set=(term hup kill) peer=gdm*,

  dbus bind bus=accessibility name=org.a11y.atspi.Registry,

--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -50,6 +50,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {

  /usr/share/pipewire/pipewire*.conf r,

+  /etc/gnutls/config r,
  /etc/pipewire/client.conf r,
  /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
  /etc/pipewire/pipewire.conf r,
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -15,6 +15,7 @@ profile pipewire-media-session @{exec_path} {
  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
+  include <abstractions/video>

  network bluetooth raw,
  network bluetooth seqpacket,
@ -62,9 +63,7 @@ profile pipewire-media-session @{exec_path} {

  @{run}/systemd/users/@{uid} r,

-  @{sys}/class/video4linux/ r,
  @{sys}/devices/**/sound/**/uevent r,
-  @{sys}/devices/pci[0-9]*/**/modalias r,
  @{sys}/devices/pci[0-9]*/**/sound/**/pcm_class r,
  @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
  @{sys}/devices/system/node/ r,
@ -72,7 +71,6 @@ profile pipewire-media-session @{exec_path} {

  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

-  /dev/video@{int} rw,
  /dev/snd/ r,

  include if exists <local/pipewire-media-session>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -134,6 +134,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {

  /usr/share/X11/xkb/{,**} r,

+  /etc/gnutls/config r,
+
  /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
  /var/lib/snapd/desktop/icons/{,**} r,

--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -53,7 +53,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/flatpak         rCx -> flatpak,
+  @{bin}/flatpak         rPUx,
  @{bin}/fusermount{,3}  rCx -> fusermount,

  / r,
@ -72,27 +72,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  # file inherit
  owner /dev/tty@{int} rw,

-  profile flatpak {
-    include <abstractions/base>
-
-    @{bin}/flatpak mr,
-
-    / r,
-    /etc/flatpak/remotes.d/{,*} r,
-
-    /var/lib/flatpak/{,**} rw,
-
-    owner @{user_cache_dirs}/flatpak/{,**} r,
-    owner @{user_config_dirs}/user-dirs.dirs r,
-    owner @{user_share_dirs}/flatpak/{,**} r,
-
-    @{PROC}/sys/kernel/random/boot_id r,
-
-    /dev/tty rw,
-
-    include if exists <local/xdg-document-portal_flatpak>
-  }
-
  profile fusermount {
    include <abstractions/base>
    include <abstractions/nameservice-strict>