Merge branch 'master' into ubuntu2204__2

2022-08-18 15:36:21 +00:00 · 2022-08-18 15:36:21 +00:00 · e65a78972b
commit e65a78972b
parent 355d958e26 a2fa2421cb
483 changed files with 7221 additions and 2538 deletions
--- a/apparmor.d/groups/apps/android-studio
+++ b/apparmor.d/groups/apps/android-studio
@ -6,8 +6,8 @@ abi <abi/3.0>,

 include <tunables/global>

-@{AS_LIBDIR}     = @{MOUNTS}/*/android-studio
-@{AS_SDKDIR}     = @{MOUNTS}/*/SDK
+@{AS_LIBDIR}     = @{MOUNTS}/android-studio
+@{AS_SDKDIR}     = @{MOUNTS}/SDK
@{AS_HOMEDIR}    = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects

--- a/apparmor.d/groups/apps/atom
+++ b/apparmor.d/groups/apps/atom
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
 profile atom @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -86,18 +87,14 @@ profile atom @{exec_path} {
  # Git dirs
        / r,
        @{MOUNTS}/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{MOUNTS}/*/atom/ r,
-  owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**,
+  owner @{MOUNTS}/ r,
+  owner @{user_projects_dirs}/ r,
+  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,

  owner @{user_config_dirs}/git/config r,

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or atom gets crash with the following error:
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -75,12 +75,8 @@ profile calibre @{exec_path} {

  /usr/share/calibre/{,**} r,

-  owner @{HOME}/@{XDG_BOOKS_DIR} rw,
-  owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,
-
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,
+  owner @{user_books_dirs} rw,
+  owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**,

  owner @{user_config_dirs}/calibre/ rw,
  owner @{user_config_dirs}/calibre/** rwk,
--- a/apparmor.d/groups/apps/code
+++ b/apparmor.d/groups/apps/code
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
 profile code @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -63,18 +64,11 @@ profile code @{exec_path} {
  owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,

  # Git dirs
-        / r,
-        @{MOUNTS}/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{MOUNTS}/*/code/ r,
-  owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
+  owner @{user_projects_dirs}/ r,
+  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or code gets crash with the following error:
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/groups/apps/filezilla
@ -56,8 +56,8 @@ profile filezilla @{exec_path} {
  /{usr/,}lib/firefox/firefox rPUx,

  # FTP share folder
-  owner @{MOUNTS}/*/ftp/ r,
-  owner @{MOUNTS}/*/ftp/** rw,
+  owner @{MOUNTS}/ftp/ r,
+  owner @{MOUNTS}/ftp/** rw,

  # Silencer
  / r,
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/groups/apps/freetube
@ -15,6 +15,7 @@ include <tunables/global>
 profile freetube @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
@ -67,10 +68,6 @@ profile freetube @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{user_share_dirs} r,
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@ -12,6 +12,7 @@ include <tunables/global>
 profile telegram-desktop @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/fonts>
@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # Needed when saving files as, or otherwise the app crashes
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

--- a/apparmor.d/groups/apps/thunderbird
+++ b/apparmor.d/groups/apps/thunderbird
@ -3,7 +3,6 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # Useful info:
 # http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird
-#

 abi <abi/3.0>,

@ -19,6 +18,10 @@ profile thunderbird @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/opencl-intel>
+  include <abstractions/wayland>
+  include <abstractions/nvidia>
+  include <abstractions/vulkan>
+  include <abstractions/mesa>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
@ -27,9 +30,13 @@ profile thunderbird @{exec_path} {
  include <abstractions/enchant>
  include <abstractions/user-download-strict>
  include <abstractions/thumbnails-cache-read>
-  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
+  include <abstractions/dconf-write>
+  include <abstractions/ibus>
+  include <abstractions/dbus-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-gtk>

  ptrace peer=@{profile_name},

@ -47,6 +54,30 @@ profile thunderbird @{exec_path} {
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/uid_map w,

+  dbus (send) bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]*
+       member={Get,MakeThreadHighPriority,MakeThreadRealtime}
+       peer=(name=org.freedesktop.RealtimeKit[0-9]*),
+
+  dbus (send) bus=system path=/org/freedesktop/UPower
+       interface=org.freedesktop.UPower
+       member=EnumerateDevices
+       peer=(name=org.freedesktop.UPower),
+
+  dbus (send) bus=session path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member={Change,Notify}
+       peer=(name=ca.desrt.dconf),
+
+  dbus (bind) bus=session
+       name=org.mozilla.thunderbird.*,
+
+  owner /tmp/dbus-[0-9a-zA-Z]* rw,
+
  @{exec_path} mrix,
  @{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix,

@ -91,10 +122,6 @@ profile thunderbird @{exec_path} {
  owner @{HOME}/Mail/ rw,
  owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # Fix error in libglib while saving files as
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

@ -115,6 +142,11 @@ profile thunderbird @{exec_path} {
  owner @{user_config_dirs}/qt5ct/{,**} r,
  /usr/share/qt5ct/** r,

+  # gnome-tiny
+  /etc/gnome/defaults.list r,
+  /usr/share/gvfs/remote-volume-monitors/{,*} r,
+  @{run}/mount/utab r,
+
  deny @{sys}/devices/system/cpu/present r,
  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
  deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
@ -124,8 +156,9 @@ profile thunderbird @{exec_path} {
       owner @{PROC}/@{pid}/stat r,
       owner @{PROC}/@{pid}/statm r,
       owner @{PROC}/@{pid}/smaps r,
-  deny owner @{PROC}/@{pids}/cmdline r,
-  deny owner @{PROC}/@{pids}/environ r,
+       owner @{PROC}/@{pid}/comm r,
+  deny owner @{PROC}/@{pid}/cmdline r,
+  deny owner @{PROC}/@{pid}/environ r,
       owner @{PROC}/@{pid}/task/ r,
       owner @{PROC}/@{pid}/task/@{tid}/stat r,
  # To remove the following error:
@ -133,14 +166,11 @@ profile thunderbird @{exec_path} {
  #  (g-file-error-quark, 2)
       owner @{PROC}/@{pid}/mountinfo r,
       owner @{PROC}/@{pid}/mounts r,
-  deny       @{PROC}/@{pid}/net/arp r,
-  deny       @{PROC}/@{pid}/net/route r,
+  deny       @{PROC}/@{pids}/net/arp r,
+  deny       @{PROC}/@{pids}/net/route r,
  # for dig
       owner @{PROC}/@{pid}/task/@{tid}/comm rw,

-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
  # TMP files
        /var/tmp/ r,
        /tmp/ r,
@ -158,12 +188,14 @@ profile thunderbird @{exec_path} {
        /dev/shm/ r,
  owner /dev/shm/org.chromium.* rw,
  owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
+  owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

  /etc/fstab r,
-
  /etc/mailcap r,
+  /etc/timezone r,

  /usr/share/sounds/freedesktop/stereo/*.oga r,
+  /usr/share/ubuntu/applications/{,*} r,

  # Silencer
  deny /{usr/,}lib/thunderbird/** w,
@ -181,15 +213,18 @@ profile thunderbird @{exec_path} {
  /{usr/,}bin/gpgsm             rCx -> gpg,

  # Allowed apps to open
-  /{usr/,}lib/firefox/firefox rPUx,
-  /{usr/,}bin/qpdfview        rPUx,
+  /{usr/,}lib/firefox/firefox rPx,
+  /{usr/,}bin/qpdfview        rPx,
  /{usr/,}bin/viewnior        rPUx,
-  /{usr/,}bin/engrampa        rPUx,
-  /{usr/,}bin/geany           rPUx,
+  /{usr/,}bin/engrampa        rPx,
+  /{usr/,}bin/geany           rPx,

  # file_inherit
  owner /dev/tty[0-9]* rw,
+  owner @{HOME}/.xsession-errors w,

+  @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
+  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,

  profile gpg {
    include <abstractions/base>
@ -203,7 +238,7 @@ profile thunderbird @{exec_path} {
    /{usr/,}bin/gpg               mr,
    /{usr/,}bin/gpg-connect-agent mr,
    /{usr/,}bin/gpgsm             mr,
-    /{usr/,}bin/gpg-agent        rix,
+    /{usr/,}bin/gpg-agent          rix,

    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -225,7 +260,7 @@ profile thunderbird @{exec_path} {
    owner /tmp/data.sig r,
    owner /tmp/data-[0-9]*.sig r,

-    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/@{pids}/fd/ r,

    # file_inherit
    owner /dev/tty[0-9]* rw,
@ -238,6 +273,7 @@ profile thunderbird @{exec_path} {
    deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw,
         owner /tmp/ns* rw,

+    include if exists <local/thunderbird_gpg>
  }

  profile open {
@ -249,7 +285,7 @@ profile thunderbird @{exec_path} {
    /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,

    /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{,m,g}awk       rix,
    /{usr/,}bin/readlink        rix,
    /{usr/,}bin/basename        rix,

@ -258,15 +294,16 @@ profile thunderbird @{exec_path} {
    owner @{run}/user/@{uid}/ r,

    # Allowed apps to open
-    /{usr/,}lib/firefox/firefox rPUx,
-    /{usr/,}bin/qpdfview        rPUx,
+    /{usr/,}lib/firefox/firefox rPx,
+    /{usr/,}bin/qpdfview        rPx,
    /{usr/,}bin/viewnior        rPUx,
-    /{usr/,}bin/engrampa        rPUx,
-    /{usr/,}bin/geany           rPUx,
+    /{usr/,}bin/engrampa        rPx,
+    /{usr/,}bin/geany           rPx,

    # file_inherit
    owner @{HOME}/.xsession-errors w,

+    include if exists <local/thunderbird_open>
  }

  include if exists <local/thunderbird>