freedesktop

2023-02-25 18:44:21 +00:00 · 2023-02-25 18:44:21 +00:00 · 8c0e0a9de1
commit 8c0e0a9de1
parent 491d2176a8
90 changed files with 48 additions and 137 deletions
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -20,9 +20,11 @@ profile evolution-alarm-notify @{exec_path} {
  @{exec_path} mr,

  /usr/share/evolution-data-server/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/ubuntu/applications/ r,
  /usr/share/{,zoneinfo-}icu/{,**} r,

+  # freedesktop.org-strict
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/*ubuntu/applications/ r,
+
  include if exists <local/evolution-alarm-notify>
 }
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -23,7 +23,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/gio-launch-desktop rix,

  # System files
-  /etc/gnome/defaults.list r,
  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,

  # User files
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -82,7 +82,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /usr/share/dconf/profile/gdm r,
  /usr/share/egl/{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/icu/{,**} r,
  /usr/share/X11/xkb/** r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -87,13 +87,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/language-tools/language2locale           rix,

  /snap/*/[0-9]*/**.png r,
-  /usr/share/*ubuntu/applications/{,*} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/cups/data/testprint r,
  /usr/share/desktop-base/**.{xml,png,svg} r,
  /usr/share/egl/{,**} r,
  /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-background-properties/{,**} r,
  /usr/share/gnome-bluetooth{-*,}/{,**} r,
  /usr/share/gnome-color-manager/{,**} r,
@ -108,6 +106,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
  /usr/share/zoneinfo/{,**} r,

+  # freedesktop.org-strict
+  /usr/share/*ubuntu/applications/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
  /etc/cups/client.conf r,
  /etc/machine-info r,
  /etc/pipewire/client.conf.d/ r,
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@ -21,16 +21,12 @@ profile gnome-control-center-search-provider @{exec_path} {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/ubuntu/applications/{,**} r,
  /usr/share/X11/xkb/{,**} r,

-  /etc/gnome/defaults.list r,
-
  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,

  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

  include if exists <local/gnome-control-center-search-provider>
-}
+}
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@ -16,7 +16,6 @@ profile gnome-disk-image-mounter @{exec_path} {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,

  # Allow to mount user files
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -148,14 +148,10 @@ profile gnome-extension-ding @{exec_path} {
  /{usr/,}bin/gnome-control-center  rPx,
  /{usr/,}bin/nautilus              rPx,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
  /usr/share/thumbnailers/{,*.thumbnailer} r,
-  /usr/share/ubuntu/applications/{,**} r,
  /usr/share/X11/{,**} r,

-  /etc/gnome/defaults.list r,
-
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@ -35,7 +35,6 @@ profile gnome-extension-manager @{exec_path} {
  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/org.gnome.Shell.Extensions r,
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@ -25,7 +25,6 @@ profile gnome-extensions-app @{exec_path} {
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/gjs-console rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/org.gnome.Extensions* r,
  /usr/share/icu/{,**} r,
  /usr/share/terminfo/x/xterm-256color r,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -15,6 +15,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
+  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/vulkan>
@ -183,20 +184,14 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  @{libexec}/gsd-disk-utility-notify                       rPx,
  @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,

-  /usr/share/applications/{,**} r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/gdm/greeter/autostart/{,*.desktop} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/glvnd/egl_vendor.d/ r,
  /usr/share/gnome-session/hardware-compatibility r,
  /usr/share/gnome-session/sessions/*.session r,
  /usr/share/gnome/autostart/{,*.desktop} r,
-  /usr/share/icons/{,**} r,
-  /usr/share/mime/mime.cache r,
-  /usr/share/*ubuntu/applications/{,*.desktop} r,
-  /usr/share/*ubuntu/applications/mimeinfo.cache r,
  /usr/share/X11/xkb/{,**} r,
  /usr/share/session-migration/scripts/{,*} r,

@ -223,15 +218,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/gnome-session/saved-session/ rw,
  owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
  owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,
-  owner @{user_config_dirs}/mimeapps.list r,
-  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_config_dirs}/user-dirs.locale r,
-  owner @{user_share_dirs}/applications/ r,
-  owner @{user_share_dirs}/applications/defaults.list r,
-  owner @{user_share_dirs}/applications/mimeapps.list r,
-  owner @{user_share_dirs}/applications/mimeinfo.cache r,
  owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
-  owner @{user_share_dirs}/mime/mime.cache r,
  owner @{user_share_dirs}/session_migration-ubuntu r,

        @{run}/systemd/inhibit/[0-9]*.ref rw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -487,7 +487,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /opt/*/**/*.png r,
  /snap/*/@{uid}/**.png r,
  /usr/share/{,zoneinfo-}icu/{,**} r,
-  /usr/share/*ubuntu/applications/{,*.desktop} r,
  /usr/share/app-info/icons/{,**} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/dconf/profile/gdm r,
@ -499,7 +498,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/libdrm/*.ids r,
  /usr/share/libgweather/Locations.xml r,
@ -513,6 +511,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
  /usr/share/gnome-packagekit/icons/hicolor/{,**} r,

+  # freedesktop.org-strict
+  /usr/share/*ubuntu/applications/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
  /.flatpak-info r,
  /etc/fstab r,
  /etc/udev/hwdb.bin r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -44,7 +44,6 @@ profile gnome-software @{exec_path} {

  /usr/share/app-info/{,**} r,
  /usr/share/appdata/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/metainfo/{,**} r,
  /usr/share/swcatalog/xml/{,**} r,
  /usr/share/X11/xkb/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -28,10 +28,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/pkexec rPx,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-system-monitor/{,**} r,
+
+  # freedesktop.org-strict
  /usr/share/pixmaps/{,**} r,
-  /usr/share/ubuntu/applications/{,**} r,
+  /usr/share/*ubuntu/applications/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /etc/machine-id r,

--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -36,7 +36,6 @@ profile gnome-terminal-server @{exec_path} {
  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icu/{,**} r,
  /usr/share/X11/xkb/{,**} r,

--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -162,7 +162,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icons/{,**} r,
  /usr/share/mime/mime.cache r,
  /usr/share/sounds/freedesktop/stereo/*.oga r,
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@ -96,14 +96,16 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
  /usr/share/libwacom/{,*} r,
-  /usr/share/mime/mime.cache r,
  /usr/share/X11/xkb/** r,

  /etc/machine-id r,

+  # freedesktop.org-strict
+  /usr/share/icons/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/mime/mime.cache r,
+
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,
  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -42,8 +42,9 @@ profile seahorse @{exec_path} {
  /{usr/,}bin/gpg{,2}  rUx,
  /{usr/,}bin/gpgsm    rPx,

+  # freedesktop.org-strict
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/ubuntu/applications/ r,
+  /usr/share/*ubuntu/applications/ r,

  /etc/pki/trust/blocklist/ r,
  /etc/gcrypt/hwf.deny r,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -67,7 +67,6 @@ profile tracker-extract @{exec_path} {
  @{exec_path} mr,

  /usr/share/dconf/profile/gdm r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/hwdata/*.ids r,
  /usr/share/ladspa/rdf/{,**} r,
  /usr/share/mime/mime.cache r,
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -80,7 +80,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
  /usr/share/tracker3-miners/{,**} r,
  /usr/share/tracker3/{,**} r,