feat(profiles): general update.

2022-11-03 21:40:01 +00:00 · 2022-11-03 21:40:01 +00:00 · a90cdbe879
commit a90cdbe879
parent fabddee9d6
23 changed files with 97 additions and 35 deletions
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -82,6 +82,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {

  @{run}/faillock/[a-zA-z0-9]* rwk,
  @{run}/gdm{3,}/custom.conf r,
+  @{run}/motd.d/{,*} r,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/sessions/*.ref rw,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@ -14,10 +14,13 @@ profile gnome-extension-manager @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
+  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
+  include <abstractions/vulkan>

  network inet dgram,
  network inet6 dgram,
@ -29,9 +32,16 @@ profile gnome-extension-manager @{exec_path} {

  /{usr/,}bin/gjs-console rix,

+  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/org.gnome.Shell.Extensions r,
+  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,

+  # Silencer
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/gnome-extension-manager>
 }
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -11,15 +11,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/audio>
+  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome>
+  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
@ -29,6 +30,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
+  include <abstractions/video>
  include <abstractions/vulkan>
  include <abstractions/X-strict>

@ -511,13 +513,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /etc/xdg/menus/gnome-applications.menu r,

  /var/lib/gdm{3,}/.cache/ w,
+  /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
+  /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
+  /var/lib/gdm{3,}/.cache/libgweather/ r,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
-  /var/lib/gdm{3,}/.cache/libgweather/ r,
-  /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.config/ibus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/ rw,
@ -527,6 +531,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,
  /var/lib/gdm{3,}/.local/share/applications/{,**} r,
  /var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
+  /var/lib/gdm{3,}/.local/share/icc/{,*} rw,
+
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

  /var/lib/AccountsService/icons/* r,
@ -553,6 +559,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+  owner @{user_share_dirs}/icc/{,*} rw,
  owner @{user_share_dirs}/sounds/__custom/index.theme r,

  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
@ -638,6 +645,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/osrelease r,

  /dev/input/event[0-9]* rw,
+  /dev/media[0-9]* rw,
  /dev/tty[0-9]* rw,

  include if exists <local/gnome-shell>
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -67,8 +67,9 @@ profile gnome-software @{exec_path} {
  /var/lib/PackageKit/prepared-update r,

  owner @{HOME}/.var/app/{,**/} r,
-  owner @{user_cache_dirs}/gnome-software/{,**} rw,
  owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw,
+  owner @{user_cache_dirs}/gnome-software/{,**} rw,
+  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/flatpak/repo/{,**} rw,

  /var/tmp/flatpak-cache-*/ rw,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -39,6 +39,8 @@ profile gnome-terminal-server @{exec_path} {

  /etc/shells r,

+  owner @{user_config_dirs}/*xdg-terminals.list* rw,
+
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -16,6 +16,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/trash>
+  include <abstractions/vulkan>

  dbus send bus=system path=/org/freedesktop/hostname[0-9]
       interface=org.freedesktop.DBus.Properties