feat(profiles): general update.

2023-12-12 18:29:08 +00:00 · 2023-12-12 18:29:08 +00:00 · ab9e1932da
commit ab9e1932da
parent 42ea537687
32 changed files with 102 additions and 75 deletions
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@ -14,7 +14,7 @@ profile epiphany-search-provider @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/enchant>
  include <abstractions/fonts>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/nvidia>
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -9,8 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-calendar
 profile gnome-calendar @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.GeoClue2>
+  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -28,6 +31,10 @@ profile gnome-calendar @{exec_path} {
  network netlink raw,

  dbus bind bus=session name=org.gnome.Calendar,
+  dbus (send, receive) bus=session path=/org/gnome/Calendar
+       interface=org.freedesktop.{Actions,Application}
+       peer=(name="{:*,org.freedesktop.DBus}"),
+
  dbus receive bus=session path=/org/gnome/Calendar/SearchProvider
       interface=org.gnome.Shell.SearchProvider2
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -107,17 +107,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
  owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
+  owner @{user_games_dirs}/**.png r,
  owner @{user_share_dirs}/backgrounds/{,**} rw,
-  owner @{user_share_dirs}/icc/{,edid-*} r,
-  owner @{user_share_dirs}/sounds/__custom/{,*} rw,
  owner @{user_share_dirs}/gnome-remote-desktop/ w,
  owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
+  owner @{user_share_dirs}/icc/{,edid-*} r,
+  owner @{user_share_dirs}/sounds/__custom/{,*} rw,
+
+  owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
  owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
-  owner @{run}/user/@{uid}/wayland-@{int} rw,
        @{run}/cups/cups.sock rw,
        @{run}/samba/ rw,
        @{run}/systemd/sessions/  r,
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@ -9,14 +9,16 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-control-center-goa-helper
 profile gnome-control-center-goa-helper @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
@ -33,15 +35,20 @@ profile gnome-control-center-goa-helper @{exec_path} {

  signal (send) set=(kill) peer=bwrap,

+  dbus bind bus=session name=org.gnome.Settings.GoaHelper,
+
+  dbus send bus=session path=/org/gnome/OnlineAccounts
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=goa-daemon),
+
  @{exec_path} mr,

  @{bin}/bwrap  rPUx,

  @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/themes/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
+  /usr/share/publicsuffix/public_suffix_list.dafsa r,

  /var/lib/flatpak/exports/share/icons/{,**} r,

--- a/apparmor.d/groups/gnome/gnome-disks
+++ b/apparmor.d/groups/gnome/gnome-disks
@ -12,7 +12,7 @@ profile gnome-disks @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/disks-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/user-download-strict>

  dbus bind bus=session name=org.gnome.DiskUtility,
@ -22,9 +22,6 @@ profile gnome-disks @{exec_path} {
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  @{lib}/gio-launch-desktop                           rPx -> child-open,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/X11/xkb/{,**} r,
-
  owner @{user_cache_dirs}/gnome-disks/{,**} rw,

        @{PROC}/1/cgroup r,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -11,7 +11,7 @@ profile gnome-initial-setup @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>

  network netlink raw,
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -11,7 +11,7 @@ profile gnome-music @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/gstreamer>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -324,7 +324,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,
-  owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
  owner @{run}/user/@{uid}/pipewire-@{int} rw,

  owner /dev/shm/.org.chromium.Chromium.* rw,
@ -333,7 +332,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
        /tmp/.X@{int}-lock rw,
        /tmp/dbus-@{rand8} rw,
  owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
-  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
+  owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,

  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat@{int} r,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -11,7 +11,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>

  capability sys_ptrace,
@ -31,15 +31,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,

-  # freedesktop.org-strict
-  /usr/share/pixmaps/{,**} r,
-  /usr/share/*ubuntu/applications/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
-  /etc/machine-id r,
-
-  /var/lib/snapd/desktop/icons/ r,
-
  owner @{run}/user/@{uid}/doc/ rw,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -11,8 +11,7 @@ profile gnome-tweaks @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/python>

  @{exec_path} mr,
@ -23,7 +22,6 @@ profile gnome-tweaks @{exec_path} {

  @{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-tweaks/{,**} r,

  /etc/xdg/autostart/{,**} r,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -20,8 +20,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
+  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
@ -92,6 +93,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {

  @{bin}/{,ba,da}sh          rix,
  @{bin}/bwrap              rPUx,
+  @{bin}/file-roller         rPx,
  @{bin}/firejail           rPUx,
  @{bin}/net                rPUx,
  @{bin}/tracker3           rPUx,
@ -99,7 +101,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  @{lib}/gio-launch-desktop                           rPx -> child-open,

-  /usr/share/*ubuntu/applications/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/libdrm/*.ids r,
  /usr/share/nautilus/{,**} r,
@ -112,7 +113,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  /etc/fstab r,

  /var/cache/fontconfig/ rw,
-  /var/lib/snapd/desktop/icons/{,**} r,

  # Full access to user's data
  / r,
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@ -12,7 +12,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/gstreamer>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -17,7 +17,7 @@ profile seahorse @{exec_path} {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -33,15 +33,9 @@ profile seahorse @{exec_path} {
  @{bin}/gpg{,2}  rPx,
  @{bin}/gpgsm    rPx,

-  # freedesktop.org-strict
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/*ubuntu/applications/ r,
-
  /etc/pki/trust/blocklist/ r,
  /etc/gcrypt/hwf.deny r,

-  /var/lib/snapd/desktop/icons/ r,
-
  owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,

  owner @{PROC}/@{pid}/fd/ r,