# apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}lib/gdm-session-worker profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { include include include capability audit_write, capability chown, capability dac_override, capability dac_read_search, capability fowner, capability kill, capability net_admin, capability setgid, capability setuid, capability sys_nice, capability sys_tty_config, signal (receive) set=term peer=gdm, signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, signal (send) set=hup peer=xwayland, signal (send) set=term peer=gdm-wayland-session, network netlink raw, @{exec_path} mrix, /{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}lib/gdm-wayland-session rPx, /{usr/,}lib/gdm-x-session rPx, /etc/gdm/{Pre,Post}Session/Default rix, /etc/motd r, /etc/shells r, /etc/locale.conf r, /etc/environment r, /etc/gdm/custom.conf r, /etc/security/limits.d/{,*.conf} r, /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/sys/kernel/random/boot_id r, /dev/tty rw, /dev/tty[0-9]* rw, include if exists }