feat(profile): improve gnome profiles.

2025-03-23 17:47:22 +01:00 · 2025-03-23 17:47:22 +01:00 · c53c236648
commit c53c236648
parent dd129c1a03
5 changed files with 59 additions and 8 deletions
--- a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl
+++ b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl
@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}}
+@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}}
+profile batteryhealthchargingctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  @{sh_path}       rix,
+  @{bin}/env       rix,
+  @{bin}/cmp       rix,
+  @{bin}/cut       rix,
+  @{bin}/pkaction  rix,
+  @{bin}/sed       rix,
+  @{bin}/sort      rix,
+
+  /etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r,
+
+  @{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r,
+
+  @{sys}/class/power_supply/ r,
+  @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w,
+  @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w,
+  @{sys}/devices/**/power_supply/BAT@{int}/charge_types rw,
+
+  include if exists <local/batteryhealthchargingctl>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -47,11 +47,6 @@ profile gnome-extension-ding @{exec_path} {
       interface=org.freedesktop.DBus*
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),

-  dbus send bus=session path=/org/gtk/vfs/metadata
-       interface=org.gtk.vfs.Metadata
-       member=Set
-       peer=(name=:*, label=gvfsd-metadata),
-
  @{exec_path} mr,

  @{sh_path}                   rix,
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -20,7 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
  network inet stream,
  network inet6 stream,

-  #aa:dbus own bus=session name=org.gnome.RemoteDesktop
+  #aa:dbus own bus=system name=org.gnome.RemoteDesktop
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm

  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -13,6 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/com.canonical.dbusmenu>
  include <abstractions/bus/net.hadess.PowerProfiles>
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
@ -160,17 +161,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  @{bin}/unzip                  rix,

+  @{bin}/flatpak                rPx,
  @{bin}/gjs-console            rPx,
  @{bin}/glib-compile-schemas   rPx,
  @{bin}/ibus-daemon            rPx,
-  @{bin}/Xwayland               rPx,
  @{bin}/tecla                  rPx,
-  @{bin}/flatpak rPx,
+  @{bin}/Xwayland               rPx,
  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
  @{lib}/mutter-x11-frames      rPx,
  #aa:exec polkit-agent-helper

  @{sh_path}                                              rCx -> shell,
+  @{bin}/pkexec                                           rCx -> pkexec,
  @{lib}/gio-launch-desktop                               rCx -> open,
  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,

@ -390,6 +392,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include if exists <local/gnome-shell_shell>
  }

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    ptrace read peer=gnome-shell,
+
+    @{bin}/pkexec mr,
+
+    /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx,
+    @{bin}/batteryhealthchargingctl{,-@{user}} rPx,
+
+    include if exists <local/gnome-shell_pkexec>
+  }
+
  profile open flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/mesa>
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@ -24,6 +24,7 @@ profile gnome-text-editor @{exec_path} {
  owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,

  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,

  deny @{user_share_dirs}/gvfs-metadata/* r,