diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 383360ad..4492c759 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index bb6e457f..7f5ecd10 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} { +profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 4ebb4851..2ca5d747 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} { include include + capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index bff45ca3..4c370749 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -50,6 +50,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7e901509..53c64daf 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -36,7 +36,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 81c53aaf..56941f60 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -11,11 +11,9 @@ include profile font-manager @{exec_path} { include include + include include - include - include include - include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 45b2ccfb..aa95a00d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -58,7 +58,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/* r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 4ac89176..e2a9ae51 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} { +profile gsettings @{exec_path} flags=(attach_disconnected) { include + include include include @@ -22,8 +23,6 @@ profile gsettings @{exec_path} { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome deleted file mode 100644 index 3a1e504a..00000000 --- a/apparmor.d/profiles-g-l/jami-gnome +++ /dev/null @@ -1,61 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/jami-gnome -profile jami-gnome @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - /usr/share/ring/{,**} r, - /usr/share/sounds/jami-gnome/{,**} r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/jami-gnome/ rw, - owner @{user_cache_dirs}/jami-gnome/** rw, - - owner @{user_share_dirs}/jami/ rw, - owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, - - owner @{user_config_dirs}/autostart/jami-gnome.desktop w, - - owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, - - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, - - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/smaps r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/zoneinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 4e64e5fb..c0aafeaf 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -26,9 +26,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - /var/lib/passim/{,**} r, - /var/lib/passim/data/{,**} rw, - + owner /var/lib/passim/{,**} rw, owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 2a7b6303..5da955cb 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -28,7 +28,7 @@ profile pidof @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - owner /dev/tty@{int} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 1e674823..b2074ba0 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -21,15 +21,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace (read), + ptrace read, - signal (send,receive) peer=cockpit-bridge, - signal (send) peer=@{p_systemd}, - signal (send) set=(cont,hup,winch) peer=su, - signal (send) set=(winch) peer=child-pager, - signal (send) set=(winch) peer=journalctl, - signal (send) set=(winch) peer=pacman, - signal (send) set=(winch, hup, term) peer=rpm, + signal send set=(winch, hup, term), @{bin}/@{shells} rUx, @{lib}/** PUx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 9155adf8..909112a7 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -48,6 +48,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, + mount fstype=vfat -> /boot/efi/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -56,6 +58,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, + umount /boot/efi/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index bce23698..0a67b365 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -89,6 +89,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r,