Update various profiles

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
2024-02-21 23:52:26 +01:00 · 2024-02-21 23:52:26 +01:00 · b532dd6827
commit b532dd6827
parent 92a1d9f65f
47 changed files with 459 additions and 26 deletions
--- a/apparmor.d/groups/freedesktop/plymouth
+++ b/apparmor.d/groups/freedesktop/plymouth
@ -10,6 +10,7 @@ include <tunables/global>
 profile plymouth @{exec_path} {
  include <abstractions/base>
  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
  include <abstractions/consoles>

  unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -50,11 +50,37 @@ profile pulseaudio @{exec_path} {
       member=Introspect
       peer=(name=:*, label=gnome-shell),

+  dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Found
+       peer=(name=:*, label=avahi-daemon),
+
+  dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member=ItemRemove
+       peer=(name=:*, label=avahi-daemon),
+
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name=org.bluez),

+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+
+  dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member={Found,Free}
+       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+
+  # No label in rule
+  dbus send bus=system path=/org/freedesktop/RealtimeKit@{int}
+       interface=org.freedesktop.RealtimeKit@{int}
+       member=MakeThreadHighPriority
+       peer=(name=org.freedesktop.RealtimeKit@{int}),
+
  @{exec_path} mrix,

  @{lib}/pulse/gsettings-helper rix,
@ -104,6 +130,7 @@ profile pulseaudio @{exec_path} {

  @{sys}/devices/**/sound/**/{uevent,pcm_class} r,
  @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
+  @{sys}/devices/virtual/video4linux/video@{int}/uevent r,

  deny @{sys}/module/apparmor/parameters/enabled r,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -34,6 +34,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
       member=MakeThread*
       peer=(name=:*),

+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=CheckPermissions
+       peer=(name=:*, label=NetworkManager),
+
  # dbus: own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor

  dbus send bus=session path=/org/freedesktop/portal/documents
--- a/apparmor.d/groups/freedesktop/xsetroot
+++ b/apparmor.d/groups/freedesktop/xsetroot
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xsetroot
 profile xsetroot @{exec_path} {
  include <abstractions/base>
+  include <abstractions/X-strict>

  capability dac_read_search,