feat: update profiles.

2022-04-26 22:05:29 +01:00 · 2022-04-26 22:05:29 +01:00 · e845a172c2
commit e845a172c2
parent 84dc85b82d
28 changed files with 84 additions and 96 deletions
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/evolution-addressbook-factory
 profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
@ -26,7 +27,6 @@ profile evolution-addressbook-factory @{exec_path} {
  owner @{user_share_dirs}/evolution/{,**} rwk,
  owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,

-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/evolution-calendar-factory
 profile evolution-calendar-factory @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
@ -28,7 +29,6 @@ profile evolution-calendar-factory @{exec_path} {
  owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
  owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,

-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/evolution-source-registry
 profile evolution-source-registry @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
@ -27,7 +28,6 @@ profile evolution-source-registry @{exec_path} {
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_cache_dirs}/evolution/{,**} rwk,

-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
+  include <abstractions/dconf>
  include <abstractions/nameservice-strict>
  include <abstractions/zsh>

@ -22,11 +23,11 @@ profile gdm-wayland-session @{exec_path} {
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh           rix,
-  /{usr/,}bin/zsh                  rix,
-  /{usr/,}bin/tty                  rix,
-  /{usr/,}bin/grep                 rix,
  /{usr/,}bin/gnome-session        rix,
+  /{usr/,}bin/grep                 rix,
  /{usr/,}bin/gsettings            rix,
+  /{usr/,}bin/tty                  rix,
+  /{usr/,}bin/zsh                  rix,

  /{usr/,}bin/dbus-daemon          rPx,
  /{usr/,}bin/dbus-run-session     rPx,
@ -42,14 +43,13 @@ profile gdm-wayland-session @{exec_path} {

  @{run}/gdm/custom.conf r,

+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+        @{run}/gdm/custom.conf r,
+
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
-  # file_inherit
  /dev/tty[0-9]* rw,

  include if exists <local/gdm-wayland-session>
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -18,6 +18,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/mesa>
  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>
+  include <abstractions/vulkan>

  network netlink raw,

@ -32,7 +33,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /usr/share/egl/{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/X11/xkb/** r,

@ -49,9 +49,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gdm/Xauthority r,
        @{run}/user/@{uid}/wayland-cursor-shared-* rw,

-  @{sys}/devices/pci[0-9]*/**/drm/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
  @{sys}/devices/pci[0-9]*/**/revision r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -29,5 +29,7 @@ profile gnome-calendar @{exec_path} {
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

+  @{PROC}/sys/dev/i915/perf_stream_paranoid r,
+
  include if exists <local/gnome-calendar>
 }
--- a/apparmor.d/groups/gnome/gnome-contacts
+++ b/apparmor.d/groups/gnome/gnome-contacts
@ -18,13 +18,13 @@ profile gnome-contacts @{exec_path} {
  include <abstractions/opencl>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
+  include <abstractions/vulkan>

  network netlink raw,

  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/applications/{,*.desktop} r,

  owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dconf>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome>
@ -20,6 +21,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
+  include <abstractions/vulkan>

  network inet dgram,
  network inet6 dgram,
@ -36,13 +38,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/locale     rix,
  /{usr/,}bin/openvpn    rPx,
  /{usr/,}bin/passwd     rPx,
+  /{usr/,}lib/gnome-control-center-goa-helper         rPx,
  /{usr/,}lib/gnome-control-center-print-renderer     rPx,
  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,

  /usr/share/backgrounds/gnome/* r,
  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/gnome-background-properties/{,**} r,
  /usr/share/gnome-bluetooth/{,**} r,
  /usr/share/gnome-color-manager/{,**} r,
@ -74,10 +76,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
  owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,

-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
  owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
        @{run}/systemd/users/@{uid} r,
@ -98,9 +98,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{sys}/class/ r,
  @{sys}/class/input/ r,
  @{sys}/devices/**/{name,vendor,product,uevent} r,
-  @{sys}/devices/pci[0-9]*/**/drm/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
  @{sys}/devices/pci[0-9]*/**/revision r,
  @{sys}/devices/platform/**/uevent r,
  @{sys}/devices/virtual/**/uevent r,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -9,18 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-control-center-print-renderer
 profile gnome-control-center-print-renderer @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/opencl-nvidia>
+  include <abstractions/vulkan>

  @{exec_path} mr,

  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/icons/{,**} r,
  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/{,**} r,
@ -31,15 +32,10 @@ profile gnome-control-center-print-renderer @{exec_path} {

  owner @{user_share_dirs}/icons/{,**} r,

-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-
-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/gdm/Xauthority r,

-  @{sys}/devices/pci[0-9]*/**/drm/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
  @{sys}/devices/pci[0-9]*/**/revision r,

  owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/gnome/gnome-disks
+++ b/apparmor.d/groups/gnome/gnome-disks
@ -9,20 +9,19 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-disks
 profile gnome-disks @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/gnome>
-  include <abstractions/gtk>

  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,

-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

-        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,
+        @{PROC}/1/cgroup r,

  include if exists <local/gnome-disks>
 }
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -31,7 +31,7 @@ profile gnome-keyring-daemon @{exec_path} {
  owner @{run}/user/@{uid}/keyring/* rw,
  owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,

-  @{PROC}/[0-9]*/fd/ r,
+  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/gnome-keyring-daemon>
 }
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -10,13 +10,16 @@ include <tunables/global>
 profile gnome-music @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dconf>
  include <abstractions/gnome>
  include <abstractions/gstreamer>
+  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/python>
  include <abstractions/ssl_certs>
+  include <abstractions/vulkan>

  network inet stream,
  network inet6 stream,
@ -44,14 +47,12 @@ profile gnome-music @{exec_path} {
  owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
  owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,

-  owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
-
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
-
-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
+        @{run}/systemd/inhibit/[0-9]*.ref rw,
+
+  owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,

  owner @{PROC}/@{pid}/mounts r,

--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -13,6 +13,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gtk>
+  include <abstractions/mesa>
  include <abstractions/nameservice-strict>

  network inet stream,
@ -73,7 +74,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  /var/lib/flatpak/exports/share/applications/{,**} r,

-  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
  owner @{user_config_dirs}/autostart/{,*.desktop} r,
  owner @{user_config_dirs}/gnome-session/ rw,
  owner @{user_config_dirs}/gnome-session/saved-session/ rw,
@ -86,9 +86,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
-
-  /tmp/.ICE-unix/[0-9]* rw,
-
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
@ -98,6 +95,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/sessions/[0-9]*.ref rw,
        @{run}/systemd/users/@{uid} r,

+  /tmp/.ICE-unix/[0-9]* rw,
+
  @{sys}/devices/**/{vendor,device} r,
  @{sys}/devices/pci[0-9]*/**/revision r,

@ -106,9 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/cmdline r,
-        @{PROC}/sys/dev/i915/perf_stream_paranoid r,

-  /dev/null r,
  /dev/tty rw,
  /dev/tty[0-9]* rw,

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -22,6 +22,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
+  include <abstractions/vulkan>

  capability sys_nice,
  capability sys_ptrace,
@ -51,7 +52,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/libgweather/Locations.xml r,
  /usr/share/libinput/ r,
@ -158,9 +158,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/pci[0-9]*/**/boot_vga r,
  @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
-  @{sys}/devices/pci[0-9]*/**/drm/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
  @{sys}/devices/pci[0-9]*/**/revision r,

  owner @{PROC}/@{pid}/comm r,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -44,10 +44,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-        @{PROC}/@{pids}/net/wireless r,
-
  @{run}/mount/utab r,
  @{run}/systemd/userdb/ r,

@ -56,6 +52,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,

+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+        @{PROC}/@{pids}/net/wireless r,
+
  /dev/tty rw,
  /dev/dri/card[0-9]* rw,

--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/seahorse
 profile seahorse @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/gnome>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -24,11 +25,10 @@ profile seahorse @{exec_path} {
  # Seahorse and SSH keys
  owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,

-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

-  @{PROC}/[0-9]*/fd/ r,
+  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/seahorse>
 }