From fb82d8d0d60f9c0bc7726c1084bbad3b1b2f26b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:27:22 +0200 Subject: [PATCH] feat(profile): small gnome related improvement. --- apparmor.d/groups/gnome/evolution-addressbook-factory | 8 ++++---- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 4 ++-- apparmor.d/groups/gnome/papers | 4 ++++ apparmor.d/groups/network/ModemManager | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 3d83232e1..98c94c79e 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -30,7 +30,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -38,12 +38,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -53,7 +53,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 435d055fa..4c84fe822 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -20,6 +20,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability fsetid, capability kill, capability net_admin, + capability sys_admin, capability sys_nice, capability sys_tty_config, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 64568eab0..8887ce797 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -72,6 +72,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{run}/user/@{uid}/gsconnect/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index c10261c02..7e817f490 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -37,6 +37,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/byobu/desktop/{,**} r, /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index f8d4280a0..af5ff2f05 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -20,8 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(hup) peer=gsd-printer, + signal receive set=(term, hup) peer=gdm*, + signal send set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 27000b93a..6f5a137a3 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -25,6 +25,10 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8220516bf..22b94effd 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -17,6 +17,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, network qipcrtr dgram, network netlink raw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 735154b7e..d5c93fc5c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -62,6 +62,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw,