-
-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XFCE: Debian 12 / Xubuntu 24.04 #654
base: main
Are you sure you want to change the base?
Conversation
Thanks, The dbus addition as really useful, thanks. However, you will have to change all of them and to use a directive: instead of a |
@@ -36,6 +37,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { | |||
signal (send) set=(term) peer=xfce-session, | |||
signal (send) set=(term) peer=xorg, | |||
|
|||
unix (bind) type=stream addr="@@{hex}/bus/lightdm/system", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use @{udbus}
instead of @{hex}
apparmor.d/groups/xfce/tumblerd
Outdated
include <abstractions/fontconfig-cache-read> | ||
include <abstractions/desktop> | ||
include <abstractions/bus-session> | ||
include <abstractions/fontconfig-cache-read> | ||
include <abstractions/desktop> | ||
include <abstractions/bus-session> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You added these twice.
apparmor.d/groups/xfce/tumblerd
Outdated
dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1, | ||
dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1, | ||
dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As an example of the dbus directive, these lines need to be:
#aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1
#aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1
#aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1
apparmor.d/groups/xfce/xfce-terminal
Outdated
@@ -28,14 +35,18 @@ profile xfce-terminal @{exec_path} { | |||
@{bin}/micro rPUx, | |||
@{bin}/nvtop rPx, | |||
|
|||
@{bin}/vim{,.basic} rPUx, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this context, you want: @{editor_path} rPUx,
apparmor.d/groups/xfce/xfdesktop
Outdated
@@ -9,15 +9,25 @@ include <tunables/global> | |||
@{exec_path} = @{bin}/xfdesktop | |||
profile xfdesktop @{exec_path} { | |||
include <abstractions/base> | |||
include <abstractions/desktop> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<abstractions/desktop>
is not needed here as there is already <abstractions/xfce>
apparmor.d/profiles-a-f/blueman
Outdated
@@ -61,6 +62,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { | |||
/dev/shm/ r, | |||
/dev/tty rw, | |||
|
|||
deny @{lib}/python3/dist-packages/blueman/__pycache__/** w, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't deny this. It is usually required when python need to recompile bytecode.
Also, use @{python_name}
instead of python3
as some distributions have python3.x
path structure.
@@ -29,6 +30,8 @@ profile system-config-printer-applet @{exec_path} { | |||
|
|||
/dev/tty rw, | |||
|
|||
deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
apparmor.d/profiles-s-z/xarchiver
Outdated
@@ -55,6 +55,7 @@ profile xarchiver @{exec_path} { | |||
/home/ r, | |||
#owner @{HOME}/ r, | |||
#owner @{HOME}/** rw, | |||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be useless. The profile already has user-download-strict
Non-exhaustive polishing.