felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update gnome profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-11 23:04:36 +02:00
parent 394dc54ceb
commit f69a7e7213
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
32 changed files with 153 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter
View file

@ -11,6 +11,8 @@
abi <abi/4.0>,
unix type=stream peer=(label=gnome-keyring-daemon),
dbus send bus=session path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member={BeginPrompting,PerformPrompt,StopPrompting}

2
apparmor.d/groups/gnome/evolution-addressbook-factory
View file

@ -27,7 +27,9 @@ profile evolution-addressbook-factory @{exec_path} {
network netlink raw,
#aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int}
#aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor
#aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory
#aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView
dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
interface=org.gnome.evolution.dataserver.*

1
apparmor.d/groups/gnome/evolution-calendar-factory
View file

@ -12,6 +12,7 @@ profile evolution-calendar-factory @{exec_path} {
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.gtk.vfs.Metadata>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write>
include <abstractions/gschemas>

17
apparmor.d/groups/gnome/gdm
View file

@ -17,6 +17,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
@ -54,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
/usr/share/wayland-sessions/*.desktop r,
/usr/share/xsessions/*.desktop r,
/etc/.pwd.lock rwk,
/etc/default/locale r,
/etc/gdm{3,}/custom.conf r,
/etc/gdm{3,}/daemon.conf r,
@ -66,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
/var/log/gdm{3,}/ rw,
owner @{GDM_HOME}/block-initial-setup rw,
@{GDM_HOME}/ rw,
@{GDM_HOME}/** rw,
@{run}/gdm{,3}/ rw,
owner @{run}/gdm{,3}.pid rw,
owner @{run}/gdm{,3}/dbus/ rw,
owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw,
@{run}/gdm{3,}/greeter/ rw,
@{run}/systemd/seats/seat@{int} r,
@{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r,
owner @{run}/gdm{3,}.pid rw,
owner @{run}/gdm{3,}/ rw,
owner @{run}/gdm{3,}/custom.conf r,
owner @{run}/gdm{3,}/dbus/ w,
owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
owner @{run}/gdm{3,}/gdm.pid rw,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)

3
apparmor.d/groups/gnome/gdm-generate-config
View file

@ -44,8 +44,9 @@ profile gdm-generate-config @{exec_path} {
@{PROC}/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/status r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/status r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
profile pgrep {

2
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
@{bin}/gnome-terminal rPUx,
@{lib}/gio-launch-desktop rix,
@{lib}/*/** rPx,
@{lib}/* rPx,
owner @{HOME}/{,**} rw,

2
apparmor.d/groups/gnome/gnome-calculator
View file

@ -20,6 +20,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) {
network inet6 stream,
network netlink raw,
#aa:dbus own bus=session name=org.gnome.Calculator
@{exec_path} mr,
@{open_path} rPx -> child-open-help,

15
apparmor.d/groups/gnome/gnome-calendar
View file

@ -24,20 +24,19 @@ profile gnome-calendar @{exec_path} {
#aa:dbus own bus=session name=org.gnome.Calendar
#aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry
#aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory
#aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
#aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell
#aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=:*, label=evolution-source-registry),
@{exec_path} mr,
@{open_path} rPx -> child-open-help,

9
apparmor.d/groups/gnome/gnome-control-center
View file

@ -41,10 +41,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.Settings
#aa:dbus own bus=session name=org.bluez.obex.Agent1
#aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd
#aa:dbus talk bus=session name=org.bluez.obex label=obexd
#aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
#aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
#aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
#aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}"
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*"
#aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
@ -53,6 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}"
#aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
#aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
#aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
#aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
@ -63,6 +65,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
#aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
dbus send bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=@{busname}, label=NetworkManager),
@{exec_path} mr,
@{bin}/@{shells} rUx,

7
apparmor.d/groups/gnome/gnome-disk-image-mounter
View file

@ -9,10 +9,17 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-disk-image-mounter
profile gnome-disk-image-mounter @{exec_path} {
include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/gnome-strict>
#aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
@{exec_path} mr,
# Allow to mount user files

4
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -58,8 +58,8 @@ profile gnome-extension-ding @{exec_path} {
@{share_dirs}/{,**} r,
/usr/share/thumbnailers/{,*.thumbnailer} r,
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{user_desktop_dirs}/ r,
owner @{user_templates_dirs}/ r,
owner @{user_share_dirs}/nautilus/scripts/ r,

1
apparmor.d/groups/gnome/gnome-extension-gsconnect
View file

@ -75,6 +75,7 @@ profile gnome-extension-gsconnect @{exec_path} {
owner @{run}/user/@{uid}/gsconnect/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/keyring/ssh rw,
@{sys}/devices/virtual/dmi/id/chassis_type r,

9
apparmor.d/groups/gnome/gnome-keyring-daemon
View file

@ -19,12 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
capability ipc_lock,
signal (receive) set=(term) peer=gdm,
signal (send) set=(term) peer=ssh-agent,
signal receive set=(term) peer=gdm,
signal send set=(term) peer=ssh-agent,
unix type=stream peer=(label=snap.*),
#aa:dbus own bus=session name=org.gnome.keyring
#aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s}
#aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret
#aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop
#aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable

10
apparmor.d/groups/gnome/gnome-session
View file

@ -16,6 +16,14 @@ profile gnome-session @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/shells>
signal receive set=term peer=gdm,
signal receive set=term peer=gdm-session,
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mrix,
@{shells_path} rix,
@ -64,6 +72,8 @@ profile gnome-session @{exec_path} {
owner @{HOME}/ r,
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,

44
apparmor.d/groups/gnome/gnome-shell
View file

@ -24,13 +24,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/bus/org.freedesktop.GeoClue2>
include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
include <abstractions/bus/org.freedesktop.locale1>
include <abstractions/bus/org.freedesktop.login1.Session>
include <abstractions/bus/org.freedesktop.PackageKit>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.freedesktop.secrets>
include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/bus/org.gnome.keyring.internal.Prompter>
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
include <abstractions/camera>
include <abstractions/dconf-write>
@ -72,6 +72,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
#aa:dbus own bus=session name=org.gnome.Shell
#aa:dbus own bus=session name=com.canonical.{U,u}nity
#aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu}
#aa:dbus own bus=session name=com.rastersoft.dingextension
#aa:dbus own bus=session name=org.ayatana.NotificationItem
#aa:dbus own bus=session name=org.freedesktop.a11y.Manager
@ -79,6 +80,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
#aa:dbus own bus=session name=org.gtk.MountOperationHandler
#aa:dbus own bus=session name=org.gtk.Notifications
#aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher
#aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting
# Talk with gnome-shell
@ -87,32 +89,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
#aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
#aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
#aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}"
#aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
#aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
#aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs
#aa:dbus talk bus=session name=org.gnome.* label=gnome-*
#aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*"
#aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=*
#aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus
#aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
# System bus
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.PolicyKit1.Authority
member=RegisterAuthenticationAgent
peer=(name=:*, label="@{p_polkitd}"),
dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
interface=org.freedesktop.PolicyKit1.AuthenticationAgent
member=BeginAuthentication
peer=(name=:*, label="@{p_polkitd}"),
dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
interface=org.freedesktop.NetworkManager.AgentManager
member={RegisterWithCapabilities,Unregister}
peer=(name=:*, label=NetworkManager),
# Session bus
@ -156,7 +145,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
dbus send bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=:*),
peer=(name=@{busname}),
dbus send bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
@ -181,8 +170,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sh_path} rCx -> shell,
@{bin}/pkexec rCx -> pkexec,
@{lib}/gio-launch-desktop rCx -> open,
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
@{lib}/gio-launch-desktop rCx -> open,
@{python_path} rCx -> python,
@{user_share_dirs}/gnome-shell/extensions/*/** rPUx,
/usr/share/gnome-shell/extensions/*/** rPUx,
@ -278,15 +268,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w,
owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
owner @{user_cache_dirs}/gnome-boxes/*.png r,
owner @{user_cache_dirs}/gnome-photos/{,**} r,
owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
owner @{user_cache_dirs}/gnome-software/icons/{,**} r,
owner @{user_cache_dirs}/gsconnect/@{hex32} r,
owner @{user_cache_dirs}/libgweather/{,**} rw,
owner @{user_cache_dirs}/media-art/{,**} r,
owner @{user_cache_dirs}/vlc/**/*.jpg r,
owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
@{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
@ -337,7 +328,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/class/net/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/gpu_busy_percent r,
@{sys}/devices/@{pci}/input@{int}/{properties,name} r,
@{sys}/devices/@{pci}/mem_info_vram_* r,
@{sys}/devices/@{pci}/net/*/statistics/collisions r,
@{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
@{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
@ -351,6 +344,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/**/power_supply/{,**} r,
@{sys}/devices/platform/**/input@{int}/{properties,name} r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/net/*/statistics/collisions r,
@{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
@{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
@ -431,6 +426,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include if exists <local/gnome-shell_pkexec>
}
profile python {
include <abstractions/base>
include <abstractions/python>
# /usr/share/gnome-shell/extensions/{,**}
include if exists <local/gnome-shell_python>
}
profile open flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/mesa>

1
apparmor.d/groups/gnome/gnome-software
View file

@ -45,6 +45,7 @@ profile gnome-software @{exec_path} {
@{bin}/baobab rPUx,
@{bin}/bwrap rPx -> flatpak-app,
@{bin}/fusermount{,3} rCx -> fusermount,
@{bin}/gnome-control-center rPx,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,

1
apparmor.d/groups/gnome/gnome-text-editor
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile gnome-text-editor @{exec_path} {
include <abstractions/base>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/common/gnome>
include <abstractions/enchant>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/gnome/gsd-housekeeping
View file

@ -11,9 +11,9 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/bus-session>
include <abstractions/bus/session/org.freedesktop.systemd1>
include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/bus/session/org.freedesktop.systemd1>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>

10
apparmor.d/groups/gnome/gsd-power
View file

@ -40,16 +40,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power
#aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
#aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell
dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
interface=org.freedesktop.UPower.KbdBacklight
member=GetBrightness
peer=(name=:*, label="@{p_upowerd}"),
peer=(name=@{busname}, label="@{p_upowerd}"),
dbus receive bus=session path=/org/gtk/Settings
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*, label=gsd-xsettings),
peer=(name=@{busname}, label=gsd-xsettings),
dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=Suspend
peer=(name=@{busname}, label="@{p_systemd_logind}"),
@{exec_path} mr,

2
apparmor.d/groups/gnome/gsd-print-notifications
View file

@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/cups/cupsd/Notifier
interface=org.cups.cupsd.Notifier
member={ServerStarted,PrinterDeleted,PrinterStopped}
member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded}
peer=(name=@{busname}, label=cups-notifier-dbus),
dbus receive bus=session

5
apparmor.d/groups/gnome/gsd-sharing
View file

@ -31,6 +31,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
member=Introspect
peer=(name=:*, label=gnome-shell),
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3
interface=org.freedesktop.NetworkManager.VPN.Connection
member=VpnStateChanged
peer=(name=@{busname}, label=NetworkManager),
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,

5
apparmor.d/groups/gnome/gsd-usb-protection
View file

@ -16,6 +16,11 @@ profile gsd-usb-protection @{exec_path} {
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mr,
include if exists <local/gsd-usb-protection>

1
apparmor.d/groups/gnome/kgx
View file

@ -39,6 +39,7 @@ profile kgx @{exec_path} {
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/status r,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

7
apparmor.d/groups/gnome/localsearch
View file

@ -47,6 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
/usr/share/osinfo/{,**} r,
/usr/share/poppler/{,**} r,
/etc/fstab r,
# Allow to search user files
owner @{HOME}/ r,
owner @{HOME}/{,**} r,
@ -57,6 +59,11 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/tracker3/files/ rw,
owner @{user_cache_dirs}/tracker3/files/** rwk,
owner @{GDM_HOME}/ r,
owner @{GDM_HOME}/*/ r,
owner @{gdm_cache_dirs}/tracker3/{,**} rwk,
owner @{gdm_config_dirs}/user-dirs.dirs r,
@{run}/mount/utab r,
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511

1
apparmor.d/groups/gnome/mutter-x11-frames
View file

@ -29,6 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
/usr/share/gdm/greeter-dconf-defaults r,
owner @{GDM_HOME}/greeter-dconf-defaults r,
owner @{gdm_cache_dirs}//fontconfig/ rw,
owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl,
owner @{gdm_config_dirs}/dconf/user r,

9
apparmor.d/groups/gnome/nautilus
View file

@ -66,6 +66,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
member=NameHasOwner
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=session
interface=org.freedesktop.Application
member=Open,
dbus send bus=session path=/org/gnome/Nautilus
interface=org.gtk.Application
member={CommandLine,DescribeAll}
peer=(name=org.gnome.Nautilus, label=nautilus),
@{exec_path} mr,
@{sh_path} rix,

9
apparmor.d/groups/gnome/papers
View file

@ -20,18 +20,27 @@ profile papers @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026
interface=org.freedesktop.portal.Session
member=Close
peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
@{exec_path} mr,
@{open_path} Cx -> open,
/usr/share/poppler/{,**} r,
/etc/passwd r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw,
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw,
/tmp/ r,
/var/tmp/ r,
owner @{tmp}/.goutputstream-@{rand6} rw,
owner @{tmp}/papers-@{int}/{,**} rw,
owner @{tmp}/gtkprint_@{rand6} rw,

2
apparmor.d/groups/gnome/ptyxis
View file

@ -16,7 +16,7 @@ profile ptyxis @{exec_path} {
unix type=stream peer=(label=ptyxis-agent),
#aa:dbus own bus=session name=org.gnome.Ptyxis
#aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application
@{exec_path} mr,

11
apparmor.d/groups/gnome/ptyxis-agent
View file

@ -16,10 +16,12 @@ profile ptyxis-agent @{exec_path} {
include <abstractions/gschemas>
include <abstractions/nameservice-strict>
signal send set=hup peer=unconfined,
signal send set=hup peer=@{p_systemd},
ptrace read,
unix type=stream peer=(label=ptyxis),
@{exec_path} mr,
@{bin}/podman Px,
@ -42,8 +44,15 @@ profile ptyxis-agent @{exec_path} {
unix bind type=stream addr=@@{udbus}/bus/systemd-run/,
@{bin}/systemd-run mr,
# The shell is not confined on purpose.
@{bin}/@{shells} Ux,
# Some CLI program can be launched directly from Gnome Shell
@{bin}/htop Px,
@{bin}/micro PUx,
@{bin}/nvtop Px,
owner @{run}/user/@{uid}/systemd/private rw,
include if exists <local/ptyxis-agent_shell>

5
apparmor.d/groups/gnome/tracker-extract
View file

@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/camera>
include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/disks-read>
@ -20,6 +21,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
include <abstractions/gnome-strict>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/media-control>
include <abstractions/nameservice-strict>
network netlink raw,
@ -73,9 +75,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/media@{int} r,
/dev/video@{int} rw,
# file_inherit
owner /dev/tty@{int} rw,

4
apparmor.d/groups/gnome/tracker-miner
View file

@ -15,11 +15,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
include <abstractions/bus/org.gtk.vfs.Daemon>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/camera>
include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/disks-read>
include <abstractions/gnome-strict>
include <abstractions/gstreamer>
include <abstractions/media-control>
include <abstractions/nameservice-strict>
include <abstractions/sqlite>
@ -86,8 +88,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/media@{int} rw,
/dev/video@{int} rw,
owner /dev/tty@{int} rw,
include if exists <local/tracker-miner>

2
apparmor.d/tunables/multiarch.d/system-users
View file

@ -5,7 +5,7 @@
# Define some extra paths for some commonly used system user
# Full path of the GDM configuration directories
@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/
@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/
@{gdm_cache_dirs}=@{GDM_HOME}/.cache/
@{gdm_config_dirs}=@{GDM_HOME}/.config/
@{gdm_local_dirs}=@{GDM_HOME}/.local/