237 lines
7.1 KiB
Text
237 lines
7.1 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2018-2021 Mikhail Morfikov
|
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = @{bin}/sddm
|
|
profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|
include <abstractions/base>
|
|
include <abstractions/authentication>
|
|
include <abstractions/bus-session>
|
|
include <abstractions/bus-system>
|
|
include <abstractions/bus/org.freedesktop.login1>
|
|
include <abstractions/bus/org.freedesktop.UPower>
|
|
include <abstractions/fontconfig-cache-read>
|
|
include <abstractions/graphics>
|
|
include <abstractions/kde-strict>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/shells>
|
|
include <abstractions/wutmp>
|
|
|
|
capability audit_write,
|
|
capability chown,
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability fowner,
|
|
capability kill,
|
|
capability net_admin,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_resource,
|
|
capability sys_tty_config,
|
|
|
|
network netlink raw,
|
|
|
|
ptrace (read),
|
|
ptrace (trace) peer=@{profile_name},
|
|
|
|
signal (receive) set=(hup) peer=@{p_systemd},
|
|
signal (send) set=(kill, term) peer=labwc,
|
|
signal (send) set=(kill, term) peer=lxqt-session,
|
|
signal (send) set=(kill, term) peer=startplasma,
|
|
signal (send) set=(kill, term) peer=xorg,
|
|
signal (send) set=(kill, term) peer=xsetroot,
|
|
signal (send) set=(term) peer=kwin_wayland,
|
|
signal (send) set=(term) peer=sddm-greeter,
|
|
signal (send) set=(term) peer=startplasma-wayland,
|
|
signal (send) set=(term) peer=startlxqtwayland,
|
|
|
|
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(name=:*, label=kscreenlocker-greet),
|
|
|
|
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=PropertiesChanged
|
|
peer=(name=:*, label=systemd-logind),
|
|
|
|
dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet),
|
|
|
|
@{exec_path} mr,
|
|
|
|
@{lib}/@{multiarch}/sddm/sddm-helper rix,
|
|
@{lib}/plasma-dbus-run-session-if-needed rix,
|
|
@{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix,
|
|
@{lib}/{,sddm/}sddm-helper rix,
|
|
@{lib}/{,sddm/}sddm-helper-start-wayland rix,
|
|
@{lib}/{,sddm/}sddm-helper-start-x11user rix,
|
|
|
|
@{shells_path} rix,
|
|
@{bin}/cat rix,
|
|
@{bin}/checkproc rix,
|
|
@{bin}/disable-paste rix,
|
|
@{bin}/locale rix,
|
|
@{bin}/manpath rix,
|
|
@{bin}/mktemp rix,
|
|
@{bin}/pidof rix,
|
|
@{bin}/readlink rix,
|
|
@{bin}/realpath rix,
|
|
@{bin}/tr rix,
|
|
@{bin}/tty rix,
|
|
@{bin}/uname rix,
|
|
@{bin}/xdm r,
|
|
@{bin}/xmodmap rix,
|
|
|
|
@{bin}/dbus-run-session rPx -> dbus-session,
|
|
@{bin}/dbus-update-activation-environment rPx -> dbus-session,
|
|
@{bin}/flatpak rPx,
|
|
@{bin}/gnome-keyring-daemon rPx,
|
|
@{bin}/Hyprland rPx,
|
|
@{bin}/kwalletd{5,6} rPx,
|
|
@{bin}/kwin_wayland rPx,
|
|
@{bin}/labwc rPx,
|
|
@{bin}/sddm-greeter{,-qt6} rPx,
|
|
@{bin}/startlxqt rPx,
|
|
@{bin}/startlxqtwayland rPx,
|
|
@{bin}/startplasma-wayland rPx,
|
|
@{bin}/startplasma-x11 rPx,
|
|
@{bin}/sway rPUx,
|
|
@{bin}/systemctl rCx -> systemctl,
|
|
@{bin}/xauth rCx -> xauth,
|
|
@{bin}/Xorg rPx,
|
|
@{bin}/xrdb rPx,
|
|
@{bin}/xset rPx,
|
|
@{bin}/xsetroot rPx,
|
|
@{etc_ro}/sddm/wayland-session rPx,
|
|
@{etc_ro}/sddm/Xsession rPx,
|
|
@{etc_ro}/X11/xdm/Xsession rPx,
|
|
|
|
/usr/etc/X11/xdm/Xsetup rix,
|
|
/usr/share/sddm/scripts/wayland-session rix,
|
|
/usr/share/sddm/scripts/Xsession rix,
|
|
/usr/share/sddm/scripts/Xsetup rix,
|
|
/usr/share/sddm/scripts/Xstop rix,
|
|
|
|
/usr/share/plasma/desktoptheme/** r,
|
|
/usr/share/sddm/faces/.*.icon r,
|
|
/usr/share/sddm/themes/** r,
|
|
/usr/share/wayland-sessions/{,*.desktop} r,
|
|
/usr/share/xsessions/{,*.desktop} r,
|
|
/var/lib/AccountsService/icons/*.icon r,
|
|
|
|
/etc/X11/xinit/xinitrc.d/{,*} r,
|
|
|
|
@{etc_ro}/environment r,
|
|
@{etc_ro}/security/limits.d/{,*.conf} r,
|
|
@{etc_ro}/X11/Xmodmap r,
|
|
/etc/debuginfod/{,*} r,
|
|
/etc/manpath.config r,
|
|
/etc/default/locale r,
|
|
/etc/locale.conf r,
|
|
/etc/machine-id r,
|
|
/etc/sddm.conf r,
|
|
/etc/sddm.conf.d/{,*} r,
|
|
/etc/shells r,
|
|
/etc/sysconfig/console r,
|
|
/etc/sysconfig/displaymanager r,
|
|
/etc/sysconfig/language r,
|
|
/etc/sysconfig/mail r,
|
|
/etc/sysconfig/proxy r,
|
|
/etc/sysconfig/windowmanager r,
|
|
|
|
/ r,
|
|
|
|
/var/lib/lastlog/ r,
|
|
/var/lib/lastlog/* rwk,
|
|
|
|
/var/lib/wtmpdb/ r,
|
|
/var/lib/wtmpdb/* rwk,
|
|
|
|
@{SDDM_HOME}/state.conf rw,
|
|
owner @{SDDM_HOME}/** rw,
|
|
owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw,
|
|
owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw,
|
|
|
|
owner @{HOME}/ r,
|
|
owner @{HOME}/.local/ w,
|
|
owner @{HOME}/.Xauthority rw,
|
|
|
|
owner @{user_config_dirs}/menus/{,**} r,
|
|
owner @{user_config_dirs}/startkderc r,
|
|
|
|
owner @{user_share_dirs}/kwalletd/ rw,
|
|
owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
|
|
owner @{user_share_dirs}/sddm/ w,
|
|
owner @{user_share_dirs}/sddm/wayland-session.log w,
|
|
owner @{user_share_dirs}/sddm/xorg-session.log w,
|
|
|
|
/tmp/sddm-* rw,
|
|
/tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
|
|
owner @{tmp}/.@{rand6}/{,s} rw,
|
|
owner @{tmp}/#@{int} rw,
|
|
owner @{tmp}/sddm-auth* rw,
|
|
|
|
@{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
|
|
|
|
@{run}/faillock/@{user} rwk,
|
|
@{run}/sddm.pid rw,
|
|
@{run}/sddm/\{@{uuid}\} rw,
|
|
@{run}/sddm/#@{int} rw,
|
|
@{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
|
|
@{run}/user/@{uid}/xauth_@{rand6} rwl,
|
|
owner @{run}/sddm/ rw,
|
|
owner @{run}/user/@{uid}/ r,
|
|
owner @{run}/user/@{uid}/#@{int} rw,
|
|
owner @{run}/user/@{uid}/kwallet5.socket rw,
|
|
|
|
@{PROC}/ r,
|
|
@{PROC}/uptime r,
|
|
@{PROC}/@{pids}/cmdline r,
|
|
@{PROC}/@{pids}/stat r,
|
|
owner @{PROC}/@{pid}/loginuid rw,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/uid_map r,
|
|
owner @{PROC}/1/limits r,
|
|
|
|
/dev/tty@{int} rw,
|
|
/dev/tty rw,
|
|
|
|
profile systemctl {
|
|
include <abstractions/base>
|
|
include <abstractions/app/systemctl>
|
|
|
|
include if exists <local/sddm_systemctl>
|
|
}
|
|
|
|
profile xauth {
|
|
include <abstractions/base>
|
|
|
|
@{bin}/xauth mr,
|
|
|
|
owner @{HOME}/.Xauthority-c rw,
|
|
owner @{HOME}/.Xauthority-l rwl -> @{HOME}/.Xauthority-c,
|
|
owner @{HOME}/.Xauthority-n rw,
|
|
owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n,
|
|
|
|
owner @{user_share_dirs}/sddm/xorg-session.log w,
|
|
|
|
owner @{run}/sddm/\{@{uuid}\}-c rw,
|
|
owner @{run}/sddm/\{@{uuid}\}-l rwl -> @{run}/sddm/\{@{uuid}\}-c,
|
|
owner @{run}/sddm/\{@{uuid}\}-n rw,
|
|
owner @{run}/sddm/\{@{uuid}\} rwl -> @{run}/sddm/\{@{uuid}\}-n,
|
|
|
|
include if exists <local/sddm_xauth>
|
|
}
|
|
|
|
include if exists <local/sddm>
|
|
}
|
|
|
|
# vim:syntax=apparmor
|