search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
453 stars 42 forks source link

Xwayland accesses `/dev/shm/wlroots` #517

Closed beroal closed 2 weeks ago

beroal commented 3 weeks ago

When I run an X11 application, xeyes, under Sway, I get the following log messages.

apparmor="DENIED" operation="file_inherit" class="file" profile="xeyes" name="/dev/pts/1"  comm="xeyes" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=1001 FSUID="user" OUID="user"
apparmor="DENIED" operation="file_receive" class="file" profile="xwayland" name="/dev/shm/wlroots-BgdaCM"  comm="Xwayland" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001 FSUID="user" OUID="user"

and the application complains

Error: Can't open display: :0

After I added

/dev/shm/wlroots-* r,

no log messages.

roddhjav commented 3 weeks ago

It seems that xwayland needs the wayland abstraction, it also probably clean up the profile a bit.