profiles: add a profile for notify-send

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-04-17 15:42:51 -07:00 · 2025-04-17 15:42:51 -07:00 · 7461536d52
commit 7461536d52
parent ccf1b25d3d
1 changed files with 21 additions and 0 deletions
--- a/profiles/apparmor.d/notify-send
+++ b/profiles/apparmor.d/notify-send
@ -0,0 +1,21 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile notify-send /usr/bin/notify-send {
+    include <abstractions/base>
+    include <abstractions/dbus-session-strict>
+
+    /usr/bin/notify-send mr,
+
+    # No idea why notify-send wants cgroup info but it works fine without it
+    deny /proc/@{pid}/cgroup r,
+    
+    dbus (send)
+        bus=session
+        path=/org/freedesktop/Notifications
+        interface=org.freedesktop.Notifications
+        member={GetServerInformation,Notify},
+
+    include if exists <local/notify-send>
+}