Merge profiles: also confine Xorg.wrap in addition to Xorg

For now, also use a complain mode flag like with Xorg. However, it may be possible for complain mode to be dropped from both in the future, tightening confinement (especially since Xorg.wrap is setuid). A complain-mode profile can still be useful for Xorg.wrap by giving it a separate label. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1665 Approved-by: Maxime Bélair <maxime.belair@canonical.com> Merged-by: Ryan Lee <rlee287@yahoo.com>
2025-08-22 10:07:12 +00:00 · 2025-05-12 06:43:27 -07:00 · 2025-05-12 06:43:27 -07:00 · d0cf1bff72
commit d0cf1bff72
parent 6da9502774 08f7fe6905
1 changed files with 17 additions and 0 deletions
--- a/profiles/apparmor.d/Xorg
+++ b/profiles/apparmor.d/Xorg
@ -9,6 +9,23 @@ abi <abi/4.0>,

 include <tunables/global>

+profile Xorg_wrap /usr/lib/xorg/Xorg.wrap flags=(complain) {
+  include <abstractions/base>
+  # Broad directory rules here cover the Xorg wrapper config file too
+  # Included abstractions/dri-common includes dri device files
+  include <abstractions/X>
+
+  # Privileges dropped if root is not needed due to cards supporting kms
+  capability setuid,
+  capability setgid,
+
+  /usr/lib/xorg/Xorg.wrap mr,
+  /usr/lib/xorg/Xorg px,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/Xorg_wrap>
+}
+
 # Note: attach_disconnected appears necessary in rootless mode
 profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
  include <abstractions/base>