feat(profile): improve common freedesktop profiles.

2025-05-01 20:34:35 +02:00 · 2025-05-01 20:34:35 +02:00 · df6378cec0
commit df6378cec0
parent 3cc39debfb
10 changed files with 41 additions and 15 deletions
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -41,7 +41,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {

              / r,
        @{att}/ r,
-  owner @{att}// r,
  owner @{att}/.flatpak-info r,

  owner @{user_config_dirs}/pipewire/{,**} r,
--- a/apparmor.d/groups/freedesktop/pkla-check-authorization
+++ b/apparmor.d/groups/freedesktop/pkla-check-authorization
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pkla-check-authorization
+profile pkla-check-authorization @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/pkla-check-authorization>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -13,6 +13,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.login1>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/devices-usb>

  network netlink raw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -10,7 +10,6 @@ include <tunables/global>
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-open>
-  include <abstractions/consoles>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -18,6 +17,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/bus/org.freedesktop.UPower.PowerProfiles>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/devices-usb-read>
  include <abstractions/freedesktop.org>
@ -73,6 +74,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_config_dirs}/user-dirs.dirs r,

+  # The portal can receive any user file as it is a file chooser for UI app.
+  owner @{HOME}/** r,
+
        @{user_config_dirs}/kioslaverc r,
  owner @{user_config_dirs}/xdg-desktop-portal/* r,
  owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -32,8 +32,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
  signal receive set=term peer=gdm,
  signal receive set=hup  peer=gdm-session-worker,

-  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
-
  #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk

  dbus receive bus=session path=/org/freedesktop/portal/desktop
@ -59,6 +57,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,

              / r,
+  owner @{att}/ r,

  owner /var/lib/xkb/server-@{int}.xkm rw,

--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -9,10 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-document-portal
 profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
+  include <abstractions/consoles>
  include <abstractions/deny-sensitive-home>
+  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>

  capability sys_admin,
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-user-dirs-gtk-update
 profile xdg-user-dirs-gtk-update @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/dbus-accessibility>
+  include <abstractions/dbus-session>
  include <abstractions/gtk>

  @{exec_path} mr,
--- a/apparmor.d/groups/polkit/polkit-agent-helper
+++ b/apparmor.d/groups/polkit/polkit-agent-helper
@ -25,10 +25,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

-  signal (receive) set=(term, kill) peer=gnome-shell,
-  signal (receive) set=(term, kill) peer=pkexec,
-  signal (receive) set=(term, kill) peer=pkttyagent,
-  signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
+  signal receive set=(term kill) peer=gnome-shell,
+  signal receive set=(term kill) peer=pkexec,
+  signal receive set=(term kill) peer=pkttyagent,
+  signal receive set=(term kill) peer=polkit-*-authentication-agent,
+
+  unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system,

  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/polkit/polkitd
+++ b/apparmor.d/groups/polkit/polkitd
@ -11,6 +11,7 @@ include <tunables/global>
 profile polkitd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/nameservice-strict>

  capability setgid,
@ -25,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/pkla-check-authorization rPUx,
+  @{bin}/pkla-check-authorization  rPx,
  @{bin}/pkla-admin-identities     rPx,

  /etc/machine-id r,
@ -68,9 +69,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/fdinfo/@{int} r,

-  # Silencer
-  deny /.cache/ rw,
-
  include if exists <local/polkitd>
 }

--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -258,8 +258,9 @@ os-prober attach_disconnected,complain
 pam_kwallet_init complain
 pam-tmpdir-helper complain
 passimd attach_disconnected,complain
-pkttyagent complain
 pkla-admin-identities complain
+pkla-check-authorization complain
+pkttyagent complain
 plank complain
 plasma_waitforname complain
 plasma-browser-integration-host complain