diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict new file mode 100644 index 000000000..e92e59f7d --- /dev/null +++ b/apparmor.d/abstractions/X-strict @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # The unix socket to use to connect to the display + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + /tmp/.X11-unix/* rw, + + # Available Xsessions + /usr/share/xsessions/{,*.desktop} r, + + # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, + owner @{run}/user/@{uid}/ICEauthority r, + + # Xauthority files required for X connections, per user + owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/X11/Xauthority r, + owner @{run}/user/@{uid}/xauth_* r, + + # Xwayland + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + + include if exists diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index f1d9cac6f..d37886954 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -20,14 +20,12 @@ profile pulseaudio @{exec_path} { include include include + include ptrace (trace) peer=@{profile_name}, signal (receive) peer=pacmd, - unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), - unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), - network inet stream, network inet6 stream, network netlink raw, @@ -120,9 +118,6 @@ profile pulseaudio @{exec_path} { owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, - owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/pulse/{,*} rw, owner @{run}/user/@{uid}/pulse/*.lock k, owner @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 177d3bb8e..7f82aaa45 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -10,8 +10,7 @@ include @{exec_path} = /{usr/,}bin/xrdb profile xrdb @{exec_path} { include - - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + include @{exec_path} mr, @@ -21,8 +20,6 @@ profile xrdb @{exec_path} { /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, - owner @{HOME}/.Xauthority r, - /etc/X11/Xresources/x11-common r, # The location of the .Xresources file @@ -35,8 +32,6 @@ profile xrdb @{exec_path} { owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/kcminit.* r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index bb3dabec6..40a7fce96 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -17,6 +17,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network inet6 stream, @@ -118,8 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/session_migration-ubuntu r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, owner @{run}/user/@{uid}/systemd/notify w, @@ -129,8 +128,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, - /tmp/.ICE-unix/[0-9]* rw, - @{sys}/devices/**/{vendor,device} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3633a2103..70e85dbf8 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,6 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, capability sys_ptrace, @@ -40,7 +41,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]* @@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/ubuntu/applications/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - /usr/share/xsessions/{,*.desktop} r, /.flatpak-info r, /etc/fstab r, @@ -170,8 +169,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, @@ -185,7 +182,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner /tmp/.X[0-9]-lock rw, owner /tmp/[0-9A-Z]*.shell-extension.zip rw, owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, - /tmp/.X11-unix/X[0-9] rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat[0-9]* r,