refractor(profile): always use the gschemas abstraction.

2025-08-30 12:56:05 +02:00 · 2025-08-30 12:56:05 +02:00 · d6ddbf104c
commit d6ddbf104c
parent 0ada92da32
22 changed files with 26 additions and 37 deletions
--- a/apparmor.d/groups/display-manager/xdm-xsession
+++ b/apparmor.d/groups/display-manager/xdm-xsession
@ -10,6 +10,7 @@ include <tunables/global>
 profile xdm-xsession @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>
  include <abstractions/X-strict>
@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} {
  @{HOME}/.xinitrc                                 rPix, # TODO: rCx
  @{lib}/xinit/xinitrc                          rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/mc/mc.sh r,
  /usr/share/terminfo/{,**} r,

--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -9,12 +9,13 @@ include <tunables/global>
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
 profile geoclue @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-system>
  include <abstractions/bus/fi.w1.wpa_supplicant1>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.ModemManager1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/consoles>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -29,8 +30,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  /etc/geoclue/{,**} r,
  /etc/sysconfig/proxy r,

--- a/apparmor.d/groups/gnome/chrome-gnome-shell
+++ b/apparmor.d/groups/gnome/chrome-gnome-shell
@ -10,6 +10,7 @@ include <tunables/global>
 profile chrome-gnome-shell @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} {
  @{exec_path} mr,
  @{bin}/ r,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  owner @{PROC}/@{pid}/mounts r,

  deny @{HOME}/.* r,
--- a/apparmor.d/groups/gnome/deja-dup-monitor
+++ b/apparmor.d/groups/gnome/deja-dup-monitor
@ -17,6 +17,7 @@ profile deja-dup-monitor @{exec_path} {
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  network netlink raw,

@ -44,8 +45,6 @@ profile deja-dup-monitor @{exec_path} {
  @{bin}/ionice     rix,
  @{bin}/deja-dup    Px,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  /var/tmp/ r,
  /tmp/ r,

--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -15,6 +15,7 @@ profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -63,7 +64,6 @@ profile evolution-addressbook-factory @{exec_path} {
  @{exec_path} mr,
  @{exec_path}-subprocess rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/icu/@{int}.@{int}/*.dat r,

  owner @{user_share_dirs}/evolution/{,**} rwk,
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -14,6 +14,7 @@ profile evolution-calendar-factory @{exec_path} {
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -65,8 +66,6 @@ profile evolution-calendar-factory @{exec_path} {
  @{exec_path} mr,
  @{exec_path}-subprocess rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
  owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,

--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -13,6 +13,7 @@ profile evolution-source-registry @{exec_path} {
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  owner @{user_cache_dirs}/evolution/{,**} rwk,
  owner @{user_config_dirs}/evolution/sources/{,*} rw,
  owner @{user_share_dirs}/evolution/{,**} r,
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} {
  @{etc_ro}/X11/xdm/Xsession                   rPx,
  @{lib}/gnome-session-binary                  rPx,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/im-config/data/{,*} r,
  /usr/share/im-config/xinputrc.common r,

--- a/apparmor.d/groups/gnome/gnome-browser-connector-host
+++ b/apparmor.d/groups/gnome/gnome-browser-connector-host
@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  @{exec_path} mr,

@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} {

  @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  owner @{PROC}/@{pid}/mounts r,

  include if exists <local/gnome-browser-connector-host>
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@ -35,8 +35,6 @@ profile gnome-shell-calendar-server @{exec_path} {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  /etc/sysconfig/clock r,
  /etc/timezone r,

--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@ -9,10 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-a11y-settings
 profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  signal (receive) set=(term, hup) peer=gdm*,

@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  @{gdm_config_dirs}/dconf/user r,
  @{GDM_HOME}/greeter-dconf-defaults r,
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@ -9,10 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-datetime
 profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>

  network inet dgram,
@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-settings-daemon/datetime/backward r,

  owner @{GDM_HOME}/greeter-dconf-defaults r,
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -9,12 +9,13 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-sharing
 profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  signal (receive) set=(term, hup) peer=gdm*,

@ -34,7 +35,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
+  include <abstractions/gschemas>

  signal (receive) set=(term, hup) peer=gdm*,

@ -29,7 +30,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /etc/{,opensc/}opensc.conf r,
  /etc/tpm2-tss/* rk,
--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  signal receive set=(term, hup) peer=gdm*,

@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,
--- a/apparmor.d/groups/gnome/gsd-usb-protection
+++ b/apparmor.d/groups/gnome/gsd-usb-protection
@ -11,13 +11,12 @@ profile gsd-usb-protection @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  include if exists <local/gsd-usb-protection>
 }

--- a/apparmor.d/groups/gnome/session-migration
+++ b/apparmor.d/groups/gnome/session-migration
@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/session-migration
 profile session-migration @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf-write>
  include <abstractions/bus-session>
+  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/python>

  @{exec_path} mr,
@ -21,7 +22,6 @@ profile session-migration @{exec_path} {
  @{bin}/gsettings                        rPx,
  /usr/share/session-migration/scripts/*  rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/session-migration/{,**} r,

  owner @{gdm_share_dirs}/ w,
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@ -14,6 +14,7 @@ profile gvfsd-network @{exec_path} {
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}

@ -44,8 +45,6 @@ profile gvfsd-network @{exec_path} {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  owner @{run}/user/@{uid}/gvfsd/ rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@ -13,6 +13,7 @@ profile gvfsd-smb-browse @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>

  network netlink raw,
@ -35,8 +36,6 @@ profile gvfsd-smb-browse @{exec_path} {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
  /etc/samba/* r,

        /var/cache/samba/ rw,
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -117,7 +117,6 @@ profile apport-gtk @{exec_path} {
    /usr/share/gdb/python/{,**/}__pycache__/{,**} rw,

    /usr/share/gdb/{,**} r,
-    /usr/share/glib-2.0/schemas/gschemas.compiled r,
    /usr/share/gnome-shell/{,**} r,
    /usr/share/terminfo/** r,
    /usr/share/themes/{,**} r,
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/gsettings
 profile gsettings @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-session>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  @{exec_path} mr,

--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@ -10,13 +10,13 @@ include <tunables/global>
 profile mission-control @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  network netlink raw,

  @{exec_path} mr,

  /usr/share/telepathy/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{user_share_dirs}/telepathy/ rw,
  owner @{user_share_dirs}/telepathy/mission-control/ rw,