felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refractor(profile): always use the gschemas abstraction.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-30 12:56:05 +02:00
parent 0ada92da32
commit d6ddbf104c
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
22 changed files with 26 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/display-manager/xdm-xsession
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile xdm-xsession @{exec_path} { profile xdm-xsession @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/shells> include <abstractions/shells>
include <abstractions/X-strict> include <abstractions/X-strict>
@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} {
@{HOME}/.xinitrc rPix, # TODO: rCx @{HOME}/.xinitrc rPix, # TODO: rCx
@{lib}/xinit/xinitrc rix, @{lib}/xinit/xinitrc rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mc/mc.sh r, /usr/share/mc/mc.sh r,
/usr/share/terminfo/{,**} r, /usr/share/terminfo/{,**} r,

5
apparmor.d/groups/freedesktop/geoclue
View file

@ -9,12 +9,13 @@ include <tunables/global>
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
profile geoclue @{exec_path} flags=(attach_disconnected) { profile geoclue @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/fi.w1.wpa_supplicant1> include <abstractions/bus/fi.w1.wpa_supplicant1>
include <abstractions/bus/org.freedesktop.Avahi> include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.ModemManager1> include <abstractions/bus/org.freedesktop.ModemManager1>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/consoles>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -29,8 +30,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/geoclue/{,**} r, /etc/geoclue/{,**} r,
/etc/sysconfig/proxy r, /etc/sysconfig/proxy r,

3
apparmor.d/groups/gnome/chrome-gnome-shell
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile chrome-gnome-shell @{exec_path} { profile chrome-gnome-shell @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
deny @{HOME}/.* r, deny @{HOME}/.* r,

3
apparmor.d/groups/gnome/deja-dup-monitor
View file

@ -17,6 +17,7 @@ profile deja-dup-monitor @{exec_path} {
include <abstractions/bus/org.gtk.vfs.Daemon> include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
network netlink raw, network netlink raw,
@ -44,8 +45,6 @@ profile deja-dup-monitor @{exec_path} {
@{bin}/ionice rix, @{bin}/ionice rix,
@{bin}/deja-dup Px, @{bin}/deja-dup Px,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/var/tmp/ r, /var/tmp/ r,
/tmp/ r, /tmp/ r,

2
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -15,6 +15,7 @@ profile evolution-addressbook-factory @{exec_path} {
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -63,7 +64,6 @@ profile evolution-addressbook-factory @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{exec_path}-subprocess rix, @{exec_path}-subprocess rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,
owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_share_dirs}/evolution/{,**} rwk,

3
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -14,6 +14,7 @@ profile evolution-calendar-factory @{exec_path} {
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -65,8 +66,6 @@ profile evolution-calendar-factory @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{exec_path}-subprocess rix, @{exec_path}-subprocess rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,

3
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -13,6 +13,7 @@ profile evolution-source-registry @{exec_path} {
include <abstractions/bus/org.freedesktop.secrets> include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/{,**} rwk,
owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_config_dirs}/evolution/sources/{,*} rw,
owner @{user_share_dirs}/evolution/{,**} r, owner @{user_share_dirs}/evolution/{,**} r,

2
apparmor.d/groups/gnome/gdm-xsession
View file

@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/shells> include <abstractions/shells>
@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} {
@{etc_ro}/X11/xdm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx,
@{lib}/gnome-session-binary rPx, @{lib}/gnome-session-binary rPx,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/im-config/data/{,*} r, /usr/share/im-config/data/{,*} r,
/usr/share/im-config/xinputrc.common r, /usr/share/im-config/xinputrc.common r,

3
apparmor.d/groups/gnome/gnome-browser-connector-host
View file

@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
@{exec_path} mr, @{exec_path} mr,
@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} {
@{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
include if exists <local/gnome-browser-connector-host> include if exists <local/gnome-browser-connector-host>

2
apparmor.d/groups/gnome/gnome-shell-calendar-server
View file

@ -35,8 +35,6 @@ profile gnome-shell-calendar-server @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/sysconfig/clock r, /etc/sysconfig/clock r,
/etc/timezone r, /etc/timezone r,

4
apparmor.d/groups/gnome/gsd-a11y-settings
View file

@ -9,10 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-a11y-settings @{exec_path} = @{lib}/gsd-a11y-settings
profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
@{gdm_config_dirs}/dconf/user r, @{gdm_config_dirs}/dconf/user r,
@{GDM_HOME}/greeter-dconf-defaults r, @{GDM_HOME}/greeter-dconf-defaults r,

4
apparmor.d/groups/gnome/gsd-datetime
View file

@ -9,10 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-datetime @{exec_path} = @{lib}/gsd-datetime
profile gsd-datetime @{exec_path} flags=(attach_disconnected) { profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet dgram, network inet dgram,
@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-settings-daemon/datetime/backward r, /usr/share/gnome-settings-daemon/datetime/backward r,
owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r,

4
apparmor.d/groups/gnome/gsd-sharing
View file

@ -9,12 +9,13 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-sharing @{exec_path} = @{lib}/gsd-sharing
profile gsd-sharing @{exec_path} flags=(attach_disconnected) { profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
@ -34,7 +35,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,

2
apparmor.d/groups/gnome/gsd-smartcard
View file

@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/gschemas>
signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(term, hup) peer=gdm*,
@ -29,7 +30,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/{,opensc/}opensc.conf r, /etc/{,opensc/}opensc.conf r,
/etc/tpm2-tss/* rk, /etc/tpm2-tss/* rk,

2
apparmor.d/groups/gnome/gsd-sound
View file

@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
signal receive set=(term, hup) peer=gdm*, signal receive set=(term, hup) peer=gdm*,
@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,

3
apparmor.d/groups/gnome/gsd-usb-protection
View file

@ -11,13 +11,12 @@ profile gsd-usb-protection @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include if exists <local/gsd-usb-protection> include if exists <local/gsd-usb-protection>
} }

4
apparmor.d/groups/gnome/session-migration
View file

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/session-migration @{exec_path} = @{bin}/session-migration
profile session-migration @{exec_path} { profile session-migration @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/python> include <abstractions/python>
@{exec_path} mr, @{exec_path} mr,
@ -21,7 +22,6 @@ profile session-migration @{exec_path} {
@{bin}/gsettings rPx, @{bin}/gsettings rPx,
/usr/share/session-migration/scripts/* rix, /usr/share/session-migration/scripts/* rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/session-migration/{,**} r, /usr/share/session-migration/{,**} r,
owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/ w,

3
apparmor.d/groups/gvfs/gvfsd-network
View file

@ -14,6 +14,7 @@ profile gvfsd-network @{exec_path} {
include <abstractions/bus/org.gtk.vfs.Daemon> include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
#aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}
@ -44,8 +45,6 @@ profile gvfsd-network @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/ rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

3
apparmor.d/groups/gvfs/gvfsd-smb-browse
View file

@ -13,6 +13,7 @@ profile gvfsd-smb-browse @{exec_path} {
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network netlink raw, network netlink raw,
@ -35,8 +36,6 @@ profile gvfsd-smb-browse @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/samba/* r, /etc/samba/* r,
/var/cache/samba/ rw, /var/cache/samba/ rw,

1
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -117,7 +117,6 @@ profile apport-gtk @{exec_path} {
/usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/python/{,**/}__pycache__/{,**} rw,
/usr/share/gdb/{,**} r, /usr/share/gdb/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/{,**} r, /usr/share/gnome-shell/{,**} r,
/usr/share/terminfo/** r, /usr/share/terminfo/** r,
/usr/share/themes/{,**} r, /usr/share/themes/{,**} r,

3
apparmor.d/profiles-g-l/gsettings
View file

@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/gsettings @{exec_path} = @{bin}/gsettings
profile gsettings @{exec_path} flags=(attach_disconnected) { profile gsettings @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/profiles-m-r/mission-control
View file

@ -10,13 +10,13 @@ include <tunables/global>
profile mission-control @{exec_path} flags=(attach_disconnected) { profile mission-control @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gschemas>
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/usr/share/telepathy/{,**} r, /usr/share/telepathy/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/ rw,
owner @{user_share_dirs}/telepathy/mission-control/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw,