From 7497d2b1ae0f4c0b8f7abbbcd8aad16a3ba860f5 Mon Sep 17 00:00:00 2001 From: Daniel Richard G Date: Tue, 25 Jul 2023 16:37:30 -0400 Subject: [PATCH] Add profile for Xorg (X server) --- profiles/apparmor.d/Xorg | 118 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 profiles/apparmor.d/Xorg diff --git a/profiles/apparmor.d/Xorg b/profiles/apparmor.d/Xorg new file mode 100644 index 000000000..51ad36f18 --- /dev/null +++ b/profiles/apparmor.d/Xorg @@ -0,0 +1,118 @@ +# vim:syntax=apparmor +# Author: Daniel Richard G. + +# Related: +# https://bugs.launchpad.net/bugs/1292324 +# https://github.com/canonical/lightdm/issues/18 + +abi , + +include + +# Note: attach_disconnected appears necessary in rootless mode +profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) { + include + include + include + include + include + include + include + + capability dac_override, + capability ipc_owner, + capability perfmon, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_rawio, + + network netlink raw, + + signal (receive) set=(hup, term), + signal (send) set=(usr1), + + unix (accept, bind, listen, receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + + dbus (send) + bus=system + path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=GetSessionByPID + peer=(name=org.freedesktop.login1), + + dbus (send) + bus=system + path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member={PauseDeviceComplete,ReleaseControl,ReleaseDevice,TakeControl,TakeDevice} + peer=(name=org.freedesktop.login1), + + dbus (receive) + bus=system + path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member=PauseDevice, + + /{,usr/}bin/{bash,dash,sh} ix, + /usr/bin/xkbcomp ix, + + @{PROC}/cmdline r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/ioports r, + @{PROC}/mtrr rw, + + @{sys}/**/ r, + @{sys}/devices/** r, + @{sys}/module/** r, + + @{sys}/devices/pci*/**/backlight/*/brightness rw, + + # Display managers + @{run}/user/@{uid}/gdm/* r, + @{run}/lightdm/** r, + @{run}/lxdm/* r, + @{run}/sddm/* r, + @{run}/slim.auth r, + /var/lib/wdm/** r, + /var/lib/xdm/** r, + + @{run}/nvidia-xdriver-* rw, # TODO: double-check + @{run}/udev/data/** r, + + /dev/dri/card[0-9]* r, + /dev/fb0 rw, + /dev/input/event* rw, + /dev/tty[0-9]* rw, + /dev/vga_arbiter rw, + + /etc/X11/** r, + + owner /tmp/.tX[0-9]*-lock w, + owner /tmp/.X[0-9]*-lock wl, + owner /tmp/serverauth.* r, # startx(1) + owner /tmp/server-[0-9]*.xkm rw, + + /usr/lib/xorg/modules/ r, + /usr/lib/xorg/modules/** mr, + /usr/share/** r, + + owner /var/lib/xkb/** rw, + owner /var/log/Xorg.pid-[1-9]*.log rw, + owner /var/log/Xorg.[0-9]*.log{,.old} rw, + + # Rootless mode (gdm3, startx) + owner @{HOME}/.local/ w, + owner @{HOME}/.local/share/ w, + owner @{HOME}/.local/share/xorg/ w, + owner @{HOME}/.local/share/xorg/Xorg.pid-[1-9]*.log rw, + owner @{HOME}/.local/share/xorg/Xorg.[0-9]*.log{,.old} rw, + owner /var/lib/gdm*/.cache/mesa_shader_cache/ rw, + owner /var/lib/gdm*/.cache/mesa_shader_cache/** rwk, + owner /var/lib/gdm*/.local/share/xorg/Xorg.pid-[1-9]*.log rw, + owner /var/lib/gdm*/.local/share/xorg/Xorg.[0-9]*.log{,.old} rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +}