From ed864b6391ef8faf4d523cdbf7d7f1c6e8afaf07 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 5 Apr 2024 12:01:46 +0100 Subject: [PATCH] feat(profile): ensure xfce can start. --- apparmor.d/groups/xfce/startxfce | 46 ++++++++++++++++++ apparmor.d/groups/xfce/xfce-session | 74 +++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 apparmor.d/groups/xfce/startxfce create mode 100644 apparmor.d/groups/xfce/xfce-session diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce new file mode 100644 index 000000000..8fd6a2540 --- /dev/null +++ b/apparmor.d/groups/xfce/startxfce @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startxfce4 +profile startxfce @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + + @{bin}/xfce4-session rPx, + @{bin}/xrdb rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /etc/X11/xinit/xinitrc.d/{,**} r, + /etc/xdg/xfce4/{,**} r, + + profile systemctl { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session new file mode 100644 index 000000000..eff39f18d --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-session @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-session +profile xfce-session @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + + @{bin}/sleep rix, + + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/systemctl rCx -> systemctl, + @{lib}/legacy-dist/deprecation-popup rPUx, + /usr/share/system-config-printer/applet.py rPx, + #aa:exec xfce-notifyd + #aa:exec polkit-gnome-authentication-agent + + #aa:only whonix + @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, + @{lib}/sdwdate-gui/start-maybe rPx, + @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, + + /usr/share/kde-power-savings-disable-in-vms/{,**} r, + /usr/share/kde-screen-locker-disable-in-vms/{,**} r, + + #aa:only whonix + /usr/share/anon-apps-config/{,**} r, + /usr/share/open-link-confirmation/{,**} r, + /usr/share/security-misc/{,**} r, + /usr/share/torbrowser-default-browser/{,**} r, + + /etc/xdg/ r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/*.desktop r, + + owner /tmp/.xfsm-ICE-@{rand6} rw, + owner /tmp/user/@{uid}/.xfsm-ICE-@{rand6} rw, + + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + } + + profile dbus { + include + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + include if exists + } + + include if exists +} \ No newline at end of file