feat(profiles): improve ubuntu compatibility.

2022-06-13 22:04:12 +01:00 · 2022-06-13 22:04:12 +01:00 · d998b1dd6e
commit d998b1dd6e
parent 0cbcbb29a4
29 changed files with 109 additions and 34 deletions
--- a/apparmor.d/groups/gnome/gdm-x-session
+++ b/apparmor.d/groups/gnome/gdm-x-session
@ -22,9 +22,10 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/Xorg              rPx,
  /{usr/,}bin/dbus-run-session  rPx,
-  /etc/gdm/Xsession             rPx,
+  /etc/gdm{3,}/Xsession         rPx,
+  /etc/gdm{3,}/Prime/Default    rix,

-  /etc/gdm/custom.conf r,
+  /etc/gdm{3,}/custom.conf r,
  /usr/share/gdm/gdm.schemas r,

  /var/lib/gdm/.cache/gdm/Xauthority rw,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -85,17 +85,24 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /{usr/,}bin/bash       rUx,
-  /{usr/,}bin/bwrap      rPUx,
-  /{usr/,}bin/gcm-viewer rix,
-  /{usr/,}bin/locale     rix,
-  /{usr/,}bin/openvpn    rPx,
-  /{usr/,}bin/passwd     rPx,
+  /{usr/,}bin/{,b,d,rb}ash  rUx,
+  /{usr/,}bin/{c,k,tc,z}sh  rUx,
+
+  /{usr/,}bin/gcm-viewer    rix,
+  /{usr/,}bin/grep          rix,
+  /{usr/,}bin/locale        rix,
+  /{usr/,}bin/sed           rix,
+
  @{libexec}/gnome-control-center-goa-helper          rPx,
  @{libexec}/gnome-control-center-print-renderer      rPx,
+  /{usr/,}bin/bwrap                                  rPUx,
+  /{usr/,}bin/openvpn                                 rPx,
+  /{usr/,}bin/passwd                                  rPx,
  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  /usr/share/language-tools/language2locale           rix,

-  /usr/share/backgrounds/gnome/* r,
+  /snap/*/[0-9]*/*.png r,
+  /usr/share/backgrounds/{,**} r,
  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-background-properties/{,**} r,
@ -106,6 +113,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/mime/{,**} r,
  /usr/share/pipewire/client.conf r,
  /usr/share/thumbnailers/{,*} r,
+  /usr/share/ubuntu/applications/ r,
  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
  /usr/share/zoneinfo/{,**} r,

@ -115,6 +123,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
+  /var/lib/snapd/desktop/icons/ r,

  owner @{HOME}/.cat_installer/ca.pem r,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
@ -130,6 +139,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
+  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
  owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
        @{run}/systemd/users/@{uid} r,
        @{run}/systemd/sessions/  r,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -32,6 +32,8 @@ profile gnome-control-center-print-renderer @{exec_path} {
  /var/lib/flatpak/exports/share/icons/{,**} r,
  /var/lib/flatpak/exports/share/mime/mime.cache r,

+  /var/lib/snapd/desktop/icons/{,**} r,
+
  owner @{user_share_dirs}/icons/{,**} r,

  owner @{run}/user/@{uid}/gdm/Xauthority r,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -16,6 +16,8 @@ profile gnome-extension-ding @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>

+  unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
+
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={ListNames,ListActivatableNames},
@ -34,15 +36,20 @@ profile gnome-extension-ding @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/env          rix,
-  /{usr/,}bin/gjs-console  rix,
-  /{usr/,}bin/nautilus     rPx,
+  /{usr/,}bin/{,ba,da}sh            rix,
+  /{usr/,}bin/env                   rix,
+  /{usr/,}bin/gjs-console           rix,
+  /{usr/,}bin/gnome-control-center  rPx,
+  /{usr/,}bin/nautilus              rPx,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
  /usr/share/thumbnailers/{,*.thumbnailer} r,
+  /usr/share/ubuntu/applications/{,**} r,
  /usr/share/X11/{,**} r,

+  /etc/gnome/defaults.list r,
+
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -43,6 +43,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/keyring/ rw,
  owner @{run}/user/@{uid}/keyring/* rw,
  owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
+        @{run}/user/@{uid}/keyring/control r,

  owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -44,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  signal (send),
 
  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
+  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),

  dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**}
       interface=org.freedesktop.{DBus.Properties,login[0-9].*},
@ -118,6 +119,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx,

  /opt/*/**/*.png r,
+  /snap/*/@{uid}/*.png r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/desktop-directories/{,*.directory} r,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -31,9 +31,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/pixmaps/{,**} r,
+  /usr/share/ubuntu/applications/{,**} r,

  /etc/machine-id r,

+  /var/lib/snapd/desktop/icons/ r,
+
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  owner @{run}/user/@{uid}/doc/ rw,
@ -50,10 +53,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,

  @{PROC}/ r,
+  @{PROC}/@{pids}/attr/current r,
  @{PROC}/@{pids}/cgroup r,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/fd/ r,
  @{PROC}/@{pids}/io r,
+  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/@{pids}/net/dev r,
  @{PROC}/@{pids}/net/tcp{,6} r,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>
+  include <abstractions/X-strict>

  network netlink raw,

@ -38,15 +39,18 @@ profile tracker-extract @{exec_path} {
  /var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

+  /var/lib/snapd/desktop/applications/*.desktop r,
+
  # Allow to search user files
  owner @{HOME}/{,**} r,
  owner @{MOUNTS}/{,**} r,
  owner /tmp/*/{,**} r,

-  owner /tmp/tracker-extract-3-files.*/{,*} rw,
  owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
  owner @{user_share_dirs}/gvfs-metadata/** r,
-  
+
+  owner /tmp/tracker-extract-3-files.*/{,*} rw,
+
  owner @{run}/user/@{uid}/bus rw,
        @{run}/blkid/blkid.tab r,

@ -59,6 +63,7 @@ profile tracker-extract @{exec_path} {
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,

+  /dev/dri/card[0-9]* rw,
  /dev/dri/renderD128 rw,
  /dev/media[0-9]* r,
  /dev/video[0-9]* rw,