feat(profiles): deny gvfs-metadata when possible.

2022-09-24 17:59:20 +01:00 · 2022-09-24 17:59:20 +01:00 · ae6cecde52
commit ae6cecde52
parent fcee586e9e
23 changed files with 42 additions and 30 deletions
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -27,11 +27,12 @@ profile evolution-source-registry @{exec_path} {

  owner @{user_config_dirs}/evolution/sources/{,*} rw,
  owner @{user_share_dirs}/evolution/{,**} r,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_cache_dirs}/evolution/{,**} rwk,

  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/cmdline r,

+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/evolution-source-registry>
 }
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -91,7 +91,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
  owner @{user_config_dirs}/mimeapps.list.* rw,
  owner @{user_share_dirs}/backgrounds/{,**} rw,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/icc/{,edid-*} r,
  owner @{user_share_dirs}/sounds/__custom/{,*} rw,
  owner @{user_share_dirs}/webkitgtk/{,**} r,
@ -148,5 +147,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /dev/media[0-9]* r,
  /dev/video[0-9]* rw,

+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/gnome-control-center>
 }
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -60,12 +60,11 @@ profile gnome-extension-ding @{exec_path} {

  owner @{user_share_dirs}/nautilus/scripts/ r,

-  owner @{user_share_dirs}/gvfs-metadata/home r,
-  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
-
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/gnome-extension-ding>
 }
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -45,7 +45,6 @@ profile gnome-music @{exec_path} {
  owner @{user_cache_dirs}/media-art/album-*.jpeg rw,
  owner @{user_share_dirs}/grilo-plugins/ rwk,
  owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,

  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
@ -54,5 +53,7 @@ profile gnome-music @{exec_path} {

  owner @{PROC}/@{pid}/mounts r,

+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/gnome-music>
 }
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
@ -203,5 +202,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /dev/input/event[0-9]* rw,
  /dev/tty[0-9]* rw,

+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/gnome-shell>
 }
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -37,8 +37,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {

  /var/lib/snapd/desktop/icons/ r,

-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
  owner @{run}/user/@{uid}/doc/ rw,

  @{run}/systemd/sessions/*     r,
@ -69,5 +67,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pids}/wchan r,
  @{PROC}/vmstat r,

+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/gnome-system-monitor>
 }
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -33,11 +33,12 @@ profile gnome-tweaks @{exec_path} {
  owner @{user_config_dirs}/autostart/*.desktop r,
  owner @{user_share_dirs}/backgrounds/{,**} r,
  owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/recently-used.xbel* rw,
  owner @{user_share_dirs}/sounds/ r,

  owner @{PROC}/@{pid}/fd/ r,

+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
  include if exists <local/gnome-tweaks>
 }
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} {
  owner /tmp/*/{,**} r,

  owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/** r,

  owner /tmp/tracker-extract-3-files.*/{,*} rw,