feat(profiles): general update. See #101

2023-01-15 17:15:26 +00:00 · 2023-01-15 17:15:26 +00:00 · c59a40ec4e
commit c59a40ec4e
parent f20aa4f548
28 changed files with 64 additions and 28 deletions
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@ -10,9 +10,13 @@ include <tunables/global>
 profile gnome-characters @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/gnome>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>

  @{exec_path} mr,

@ -22,6 +26,7 @@ profile gnome-characters @{exec_path} {
  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
+  /usr/share/libdrm/*.ids r,

  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/gnome/gnome-contacts-search-provider
+++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider
@ -20,6 +20,8 @@ profile gnome-contacts-search-provider @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/mime/mime.cache r,

+  /var/lib/flatpak/exports/share/mime/mime.cache r,
+
  owner @{user_share_dirs}/mime/mime.cache r,
  owner @{user_share_dirs}/folks/relationships.ini r,

--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -153,8 +153,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
  @{run}/udev/data/+pci* r,
  @{run}/udev/data/c13:[0-9]* r,    # for /dev/input/*
-  @{run}/udev/data/c235:[0-9]* r,
-  @{run}/udev/data/c236:[0-9]* r,
+  @{run}/udev/data/c23[0-9]:[0-9]* r,
  @{run}/udev/data/c50[0-9]:[0-9]* r,
  @{run}/udev/data/c51[0-9]:[0-9]* r,
  @{run}/udev/data/n[0-9]* r,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -166,6 +166,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/parcellite                                  rPUx,
  /{usr/,}bin/pkcs11-register                              rPx,
  /{usr/,}bin/snap                                        rPUx,
+  /{usr/,}bin/snapshot-detect                             rPUx,
  /{usr/,}bin/spice-vdagent                                rPx,
  /{usr/,}bin/start-pulseaudio-x11                         rPx,
  /{usr/,}bin/ubuntu-report                                rPx,
@ -176,6 +177,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
  /{usr/,}lib/caribou/caribou                              rPUx,
  /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
+  /{usr/,}lib/xapps/sn-watcher/*                           rPUx,
  /{usr/,}share/libpam-kwallet-common/pam_kwallet_init    rPUx,
  @{libexec}/deja-dup/deja-dup-monitor                     rPUx,
  @{libexec}/evolution-data-server/evolution-alarm-notify  rPx,
@ -209,8 +211,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.local/share/session_migration-* r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

-  /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
  /var/lib/flatpak/exports/share/applications/{,**} r,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
+  /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,

  owner /tmp/dirs-?????? rw,

@ -224,6 +227,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/user-dirs.locale r,
  owner @{user_share_dirs}/applications/ r,
  owner @{user_share_dirs}/applications/defaults.list r,
+  owner @{user_share_dirs}/applications/mimeapps.list r,
  owner @{user_share_dirs}/applications/mimeinfo.cache r,
  owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw,
  owner @{user_share_dirs}/mime/mime.cache r,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -43,6 +43,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/{,ba,da}sh          rix,
  /{usr/,}bin/firejail           rPUx,
+  /{usr/,}bin/bwrap              rPUx,
  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,

  /usr/share/*ubuntu/applications/{,**} r,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -86,6 +86,7 @@ profile tracker-extract @{exec_path} {
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

  /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
  /var/lib/snapd/desktop/applications/*.desktop r,

  # Allow to search user files
@ -101,8 +102,7 @@ profile tracker-extract @{exec_path} {

  @{run}/blkid/blkid.tab r,

-  @{run}/udev/data/c235:* r,
-  @{run}/udev/data/c236:* r,
+  @{run}/udev/data/c23[0-9]:[0-9]* r,
  @{run}/udev/data/c50[0-9]:[0-9]* r,
  @{run}/udev/data/c51[0-9]:[0-9]* r,
  @{run}/mount/utab r,