Profile update.

2022-03-27 14:25:29 +01:00 · 2022-03-27 14:25:29 +01:00 · a59387ac9e
commit a59387ac9e
parent 20c3b0575c
13 changed files with 49 additions and 42 deletions
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -28,10 +28,12 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=term peer=gdm,
  signal (send) set=hup peer=at-spi*,
  signal (send) set=hup peer=dbus-daemon,
+  signal (send) set=hup peer=dbus-run-session,
  signal (send) set=hup peer=gjs-console,
  signal (send) set=hup peer=gnome-*,
  signal (send) set=hup peer=gsd-*,
  signal (send) set=hup peer=ibus-*,
+  signal (send) set=hup peer=xorg,
  signal (send) set=hup peer=xwayland,
  signal (send) set=term peer=gdm-*-session,

--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gtk>
@ -49,43 +50,43 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
  /{usr/,}lib/gsd-*                                        rPx,

-  /usr/share/applications/org.gnome.Shell.desktop r,
+  /usr/share/applications//{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
+  /usr/share/gdm/greeter/applications/{,**} r,
+  /usr/share/gdm/greeter/autostart/{,*.desktop} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/glvnd/egl_vendor.d/ r,
  /usr/share/gnome-session/hardware-compatibility r,
  /usr/share/gnome-session/sessions/*.session r,
  /usr/share/icons/{,**} r,
+  /usr/share/dconf/profile/gdm r,
+  /usr/share/mime/mime.cache r,
  /usr/share/X11/xkb/{,**} r,

+  /etc/xdg/autostart/{,*.desktop} r,
+
+  /var/lib/gdm/.config/dconf/user r,
  /var/lib/gdm/.cache/mesa_shader_cache/index rw,
  /var/lib/gdm/.config/gnome-session/ rw,
  /var/lib/gdm/.config/gnome-session/saved-session/ rw,
+  /var/lib/gdm/.local/share/applications/{,**} r,

+  /var/lib/flatpak/exports/share/applications/{,**} r,
+
+  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
+  owner @{user_config_dirs}/autostart/{,*.desktop} r,
  owner @{user_config_dirs}/gnome-session/ rw,
  owner @{user_config_dirs}/gnome-session/saved-session/ rw,
  owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
  owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,
-
-  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
-
-  # Users xdg
+  owner @{user_config_dirs}/mimeapps.list r,
  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_config_dirs}/user-dirs.locale r,
+  owner @{user_share_dirs}/applications/ r,

-  # Autostart
-  /etc/xdg/autostart/{,*.desktop} r,
-  /usr/share/gdm/greeter/autostart/{,*.desktop} r,
-  owner @{user_config_dirs}/autostart/{,*.desktop} r,
-
-  # Dconf
-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
-  /usr/share/dconf/profile/gdm r,
-  /var/lib/gdm/.config/dconf/user r,

-  # Temp files
  /tmp/.ICE-unix/[0-9]* rw,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/tracker-extract-3
 profile tracker-extract @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
+  include <abstractions/disks-read>
  include <abstractions/fonts>
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
@ -31,18 +33,15 @@ profile tracker-extract @{exec_path} {

  /etc/libva.conf r,

-  owner /tmp/tracker-extract-3-files.*/{,*} rw,
-  owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/** r,
-
  # Allow to search user files
  owner @{HOME}/{,**} r,
  owner @{MOUNTS}/*/{,**} r,
  owner /tmp/*/{,**} r,

-  owner @{PROC}/@{pid}/fd/ r,
-
-  include <abstractions/dconf>
+  owner /tmp/tracker-extract-3-files.*/{,*} rw,
+  owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
+  owner @{user_share_dirs}/gvfs-metadata/** r,
+  
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

@ -50,6 +49,10 @@ profile tracker-extract @{exec_path} {
  @{run}/udev/data/c236:* r,
  @{run}/udev/data/c50[0-9]:[0-9]* r,
  @{run}/udev/data/c51[0-9]:[0-9]* r,
+  @{run}/mount/utab r,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,

  /dev/dri/renderD128 rw,
  /dev/media[0-9]* r,
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/tracker-miner-fs-{,control-}3
 profile tracker-miner @{exec_path} {
  include <abstractions/base>
-  include <abstractions/private-files>
+  include <abstractions/disks-read>
  include <abstractions/private-files-strict>
+  include <abstractions/private-files>

  @{exec_path} mr,