# apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/pulseaudio profile pulseaudio @{exec_path} { include include include include include include include ptrace (trace) peer=@{profile_name}, signal (receive) peer=pacmd, network inet stream, network inet6 stream, network netlink raw, network bluetooth stream, network bluetooth seqpacket, @{exec_path} mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, /{usr/,}lib{exec,}/pulse/gsettings-helper mrix, # PulseAudio files /usr/share/pulseaudio/{,**} r, /{usr/,}lib/pulse-*/modules/*.so mr, # PulseAudio home config files owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_config_dirs}/dconf/user r, # Needed when PulseAudio is started via the start-pulseaudio-x11 script owner @{HOME}/.Xauthority r, # Needed when PulseAudio is started via gdm owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, owner @{HOME}/.ICEauthority r, # TCP wrap /etc/hosts.{allow,deny} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/pulse/{,*} rw, owner @{run}/user/@{uid}/pulse/*.lock k, /usr/share/applications/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/sound/ r, @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{run}/udev/data/+sound* r, @{run}/udev/data/c116:[0-9]* r, # For ALSA @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, deny @{sys}/module/apparmor/parameters/enabled r, @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/systemd/notify rw, owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/stat r, # DBus dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,RequestName,ReleaseName} peer=(name=:*), dbus (receive) bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect, dbus (bind) bus=session name=org.freedesktop.ReserveDevice[0-9].Audio[0-9], dbus (bind) bus=session name=org.PulseAudio[0-9], dbus (bind) bus=session name=org.pulseaudio*, dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch} peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9] member={Get,MakeThreadHighPriority,MakeThreadRealtime} peer=(name=org.freedesktop.RealtimeKit[0-9]), dbus (send) bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. owner @{run}/user/@{uid}/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, # For GDM owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, owner /var/lib/gdm{[1-9],}/.config/pulse/cookie k, owner /var/lib/gdm{[1-9],}/.config/dconf/user r, # For SDDM owner /var/lib/sddm/.config/pulse/ rw, owner /var/lib/sddm/.config/pulse/*-{device,stream}-volumes.tdb rw, owner /var/lib/sddm/.config/pulse/*-default-{sink,source} rw, owner /var/lib/sddm/.config/pulse/*-card-database.tdb rw, owner /var/lib/sddm/.config/pulse/cookie rwk, # For lightdm owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, # Snap /var/lib/snapd/desktop/applications/ r, /usr/{local/,}share/ubuntu/applications/{,*} r, include if exists }