feat(profiles): add the X-strict abstraction.

apparmor.d/abstractions/X-strict

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  # The unix socket to use to connect to the display
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+  /tmp/.X11-unix/* rw,
+
+  # Available Xsessions
+  /usr/share/xsessions/{,*.desktop} r,
+
+  # ICEauthority files required for X authentication, per user
+  owner @{HOME}/.ICEauthority r,
+  owner @{run}/user/@{uid}/ICEauthority r,
+
+  # Xauthority files required for X connections, per user
+  owner @{HOME}/.Xauthority r,
+  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
+  owner @{run}/user/@{uid}/X11/Xauthority r,
+  owner @{run}/user/@{uid}/xauth_* r,
+
+  # Xwayland
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+
+  include if exists <abstractions/X-strict.d>

apparmor.d/groups/freedesktop/pulseaudio

@@ -20,14 +20,12 @@ profile pulseaudio @{exec_path} {
   include <abstractions/gstreamer>
   include <abstractions/hosts_access>
   include <abstractions/nameservice-strict>
+  include <abstractions/X-strict>
 
   ptrace (trace) peer=@{profile_name},
 
   signal (receive) peer=pacmd,
 
-  unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
-  unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
-
   network inet stream,
   network inet6 stream,
   network netlink raw,
@@ -120,9 +118,6 @@ profile pulseaudio @{exec_path} {
   owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
 
   owner @{run}/user/@{uid}/ rw,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
-  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
-  owner @{run}/user/@{uid}/ICEauthority r,
   owner @{run}/user/@{uid}/pulse/{,*} rw,
   owner @{run}/user/@{uid}/pulse/*.lock k,
   owner @{run}/user/@{uid}/systemd/notify rw,

apparmor.d/groups/freedesktop/xrdb

@@ -10,8 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xrdb
 profile xrdb @{exec_path} {
   include <abstractions/base>
-
+  include <abstractions/X-strict>
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
 
   @{exec_path} mr,
 
@@ -21,8 +20,6 @@ profile xrdb @{exec_path} {
   /{usr/,}lib/llvm-[0-9]*/bin/clang       rix,
   /usr/include/stdc-predef.h r,
 
-  owner @{HOME}/.Xauthority r,
-
   /etc/X11/Xresources/x11-common r,
 
   # The location of the .Xresources file
@@ -35,8 +32,6 @@ profile xrdb @{exec_path} {
   owner /tmp/xauth-[0-9]*-_[0-9] r,
   owner /tmp/kcminit.* r,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
-
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,

apparmor.d/groups/gnome/gnome-session-binary

@@ -17,6 +17,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/X-strict>
 
   network inet stream,
   network inet6 stream,
@@ -118,8 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/applications/mimeinfo.cache r,
   owner @{user_share_dirs}/session_migration-ubuntu r,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
   owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
   owner @{run}/user/@{uid}/systemd/notify w,
@@ -129,8 +128,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/sessions/*.ref rw,
         @{run}/systemd/users/@{uid} r,
 
-  /tmp/.ICE-unix/[0-9]* rw,
-
   @{sys}/devices/**/{vendor,device} r,
 
   owner @{PROC}/@{pid}/loginuid r,

apparmor.d/groups/gnome/gnome-shell

@@ -25,6 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   capability sys_nice,
   capability sys_ptrace,
@@ -40,7 +41,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   signal (receive) set=(term, hup) peer=gdm*,
   signal (send),
  
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
   unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
 
   dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]/session/_[0-9]*
@@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /usr/share/ubuntu/applications/{,*.desktop} r,
   /usr/share/wayland-sessions/{,*.desktop} r,
   /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
-  /usr/share/xsessions/{,*.desktop} r,
 
   /.flatpak-info r,
   /etc/fstab r,
@@ -170,8 +169,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/media-art/{,**} r,
   owner @{user_cache_dirs}/vlc/**/*.jpg r,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
   owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
@@ -185,7 +182,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner /tmp/.X[0-9]-lock rw,
   owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
   owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
-        /tmp/.X11-unix/X[0-9] rw,
 
   @{run}/systemd/users/@{uid} r,
   @{run}/systemd/seats/seat[0-9]* r,