felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve common freedesktop profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-01 20:34:35 +02:00
parent 3cc39debfb
commit df6378cec0
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 41 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/freedesktop/pipewire
View file

@ -41,7 +41,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
/ r, / r,
@{att}/ r, @{att}/ r,
owner @{att}// r,
owner @{att}/.flatpak-info r, owner @{att}/.flatpak-info r,
owner @{user_config_dirs}/pipewire/{,**} r, owner @{user_config_dirs}/pipewire/{,**} r,

18
apparmor.d/groups/freedesktop/pkla-check-authorization Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pkla-check-authorization
profile pkla-check-authorization @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/pkla-check-authorization>
}
# vim:syntax=apparmor

1
apparmor.d/groups/freedesktop/upowerd
View file

@ -13,6 +13,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.bluez> include <abstractions/bus/org.bluez>
include <abstractions/bus/org.freedesktop.login1> include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/devices-usb> include <abstractions/devices-usb>
network netlink raw, network netlink raw,

6
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -10,7 +10,6 @@ include <tunables/global>
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-open> include <abstractions/app-open>
include <abstractions/consoles>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>
@ -18,6 +17,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore> include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.RealtimeKit1> include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.freedesktop.UPower.PowerProfiles>
include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/devices-usb-read> include <abstractions/devices-usb-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -73,6 +74,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/dconf/user r,
owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{gdm_config_dirs}/user-dirs.dirs r,
# The portal can receive any user file as it is a file chooser for UI app.
owner @{HOME}/** r,
@{user_config_dirs}/kioslaverc r, @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/xdg-desktop-portal/* r, owner @{user_config_dirs}/xdg-desktop-portal/* r,
owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw,

5
apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
View file

@ -32,8 +32,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
signal receive set=term peer=gdm, signal receive set=term peer=gdm,
signal receive set=hup peer=gdm-session-worker, signal receive set=hup peer=gdm-session-worker,
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
#aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk
dbus receive bus=session path=/org/freedesktop/portal/desktop dbus receive bus=session path=/org/freedesktop/portal/desktop
@ -58,7 +56,8 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
/ r, / r,
owner @{att}/ r,
owner /var/lib/xkb/server-@{int}.xkm rw, owner /var/lib/xkb/server-@{int}.xkm rw,

3
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -9,10 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-document-portal @{exec_path} = @{lib}/xdg-document-portal
profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore> include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
include <abstractions/consoles>
include <abstractions/deny-sensitive-home> include <abstractions/deny-sensitive-home>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_admin, capability sys_admin,

3
apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
View file

@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-user-dirs-gtk-update @{exec_path} = @{bin}/xdg-user-dirs-gtk-update
profile xdg-user-dirs-gtk-update @{exec_path} { profile xdg-user-dirs-gtk-update @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dbus-accessibility>
include <abstractions/dbus-session>
include <abstractions/gtk> include <abstractions/gtk>
@{exec_path} mr, @{exec_path} mr,

10
apparmor.d/groups/polkit/polkit-agent-helper
View file

@ -25,10 +25,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
signal (receive) set=(term, kill) peer=gnome-shell, signal receive set=(term kill) peer=gnome-shell,
signal (receive) set=(term, kill) peer=pkexec, signal receive set=(term kill) peer=pkexec,
signal (receive) set=(term, kill) peer=pkttyagent, signal receive set=(term kill) peer=pkttyagent,
signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, signal receive set=(term kill) peer=polkit-*-authentication-agent,
unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system,
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

6
apparmor.d/groups/polkit/polkitd
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile polkitd @{exec_path} flags=(attach_disconnected) { profile polkitd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability setgid, capability setgid,
@ -25,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/pkla-check-authorization rPUx, @{bin}/pkla-check-authorization rPx,
@{bin}/pkla-admin-identities rPx, @{bin}/pkla-admin-identities rPx,
/etc/machine-id r, /etc/machine-id r,
@ -68,9 +69,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
# Silencer
deny /.cache/ rw,
include if exists <local/polkitd> include if exists <local/polkitd>
} }

3
dists/flags/main.flags
View file

@ -258,8 +258,9 @@ os-prober attach_disconnected,complain
pam_kwallet_init complain pam_kwallet_init complain
pam-tmpdir-helper complain pam-tmpdir-helper complain
passimd attach_disconnected,complain passimd attach_disconnected,complain
pkttyagent complain
pkla-admin-identities complain pkla-admin-identities complain
pkla-check-authorization complain
pkttyagent complain
plank complain plank complain
plasma_waitforname complain plasma_waitforname complain
plasma-browser-integration-host complain plasma-browser-integration-host complain