From eb84df319d1fb40226623307f423af8f553d9816 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:00:38 +0200 Subject: [PATCH] feat(profile): update gnome profiles. --- .../freedesktop/xdg-desktop-portal-gnome | 16 ++++++++-- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 --- .../freedesktop/xdg-user-dirs-gtk-update | 4 +-- apparmor.d/groups/gnome/gjs-console | 7 +++-- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-control-center | 4 +++ .../groups/gnome/gnome-extension-gsconnect | 3 +- apparmor.d/groups/gnome/gnome-session-binary | 2 ++ apparmor.d/groups/gnome/gnome-shell | 31 ++++++++++--------- apparmor.d/groups/gnome/gsd-color | 4 +-- apparmor.d/groups/gnome/gsd-xsettings | 6 +++- apparmor.d/groups/gnome/loupe | 11 ++++++- apparmor.d/groups/gnome/nautilus | 10 +++++- apparmor.d/groups/gnome/ptyxis | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 13 ++++---- apparmor.d/groups/gvfs/gvfsd-network | 12 ++----- 17 files changed, 83 insertions(+), 50 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ac321fd07..1355aa22b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, / r, @@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b77ad03d7..fc11b0700 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 224bc2337..641862965 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,9 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 012ca7ee0..fdaa4e825 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,12 +14,13 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include + include include include include @@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term hup) peer=gdm*, + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.gnome.ScreenSaver diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ee0f835e..a43168866 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1007d55e2..2f9077d19 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -39,8 +39,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.bluez.obex.Agent1 #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ee9c147b6..104d95fb3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index dc9b6812e..8b0ea6307 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6c781e204..1099f254d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, + ptrace readby peer=pipewire, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), @@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ r, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 2fe22305b..56445aeac 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4fece3366..abf30bc40 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -33,16 +34,19 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6f783627e..d89d4d6f9 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,14 +9,20 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include + unix type=stream peer=(label=loupe//bwrap), + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include + unix type=stream peer=(label=loupe), + signal receive set=kill peer=loupe, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 60bbfb344..ebf975673 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 2f7dee368..a6f7e5b63 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,6 +28,8 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + owner /tmp/#@{int} w, + /dev/ptmx rw, include if exists diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 239993f21..ce60a26c3 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -24,7 +24,7 @@ profile ptyxis-agent @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, /dev/ptmx rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index fd9b5a22d..9af8be00a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,14 +13,10 @@ profile gvfsd-dnssd @{exec_path} { include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable @@ -32,6 +28,11 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index adda9b958..cd64d81ad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,8 @@ include profile gvfsd-network @{exec_path} { include include + include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -30,16 +32,6 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gnome-control-center), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r,