felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve gnome profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-03-23 17:47:22 +01:00
parent dd129c1a03
commit c53c236648
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 59 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

39
apparmor.d/groups/gnome-extension/batteryhealthchargingctl Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}}
@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}}
profile batteryhealthchargingctl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/env rix,
@{bin}/cmp rix,
@{bin}/cut rix,
@{bin}/pkaction rix,
@{bin}/sed rix,
@{bin}/sort rix,
/etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r,
@{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w,
@{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w,
@{sys}/devices/**/power_supply/BAT@{int}/charge_types rw,
include if exists <local/batteryhealthchargingctl>
}
# vim:syntax=apparmor

5
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -47,11 +47,6 @@ profile gnome-extension-ding @{exec_path} {
interface=org.freedesktop.DBus* interface=org.freedesktop.DBus*
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=Set
peer=(name=:*, label=gvfsd-metadata),
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,

2
apparmor.d/groups/gnome/gnome-remote-desktop-daemon
View file

@ -20,7 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
#aa:dbus own bus=session name=org.gnome.RemoteDesktop #aa:dbus own bus=system name=org.gnome.RemoteDesktop
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
@{exec_path} mr, @{exec_path} mr,

20
apparmor.d/groups/gnome/gnome-shell
View file

@ -13,6 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/bus-accessibility> include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/com.canonical.dbusmenu>
include <abstractions/bus/net.hadess.PowerProfiles> include <abstractions/bus/net.hadess.PowerProfiles>
include <abstractions/bus/net.hadess.SwitcherooControl> include <abstractions/bus/net.hadess.SwitcherooControl>
include <abstractions/bus/net.reactivated.Fprint> include <abstractions/bus/net.reactivated.Fprint>
@ -160,17 +161,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/unzip rix, @{bin}/unzip rix,
@{bin}/flatpak rPx,
@{bin}/gjs-console rPx, @{bin}/gjs-console rPx,
@{bin}/glib-compile-schemas rPx, @{bin}/glib-compile-schemas rPx,
@{bin}/ibus-daemon rPx, @{bin}/ibus-daemon rPx,
@{bin}/Xwayland rPx,
@{bin}/tecla rPx, @{bin}/tecla rPx,
@{bin}/flatpak rPx, @{bin}/Xwayland rPx,
@{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
@{lib}/mutter-x11-frames rPx, @{lib}/mutter-x11-frames rPx,
#aa:exec polkit-agent-helper #aa:exec polkit-agent-helper
@{sh_path} rCx -> shell, @{sh_path} rCx -> shell,
@{bin}/pkexec rCx -> pkexec,
@{lib}/gio-launch-desktop rCx -> open, @{lib}/gio-launch-desktop rCx -> open,
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
@ -390,6 +392,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include if exists <local/gnome-shell_shell> include if exists <local/gnome-shell_shell>
} }
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
ptrace read peer=gnome-shell,
@{bin}/pkexec mr,
/usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx,
@{bin}/batteryhealthchargingctl{,-@{user}} rPx,
include if exists <local/gnome-shell_pkexec>
}
profile open flags=(attach_disconnected,mediate_deleted,complain) { profile open flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/mesa> include <abstractions/mesa>

1
apparmor.d/groups/gnome/gnome-text-editor
View file

@ -24,6 +24,7 @@ profile gnome-text-editor @{exec_path} {
owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,