diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index d32be93d..4730f239 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -2,6 +2,11 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=org.freedesktop.systemd1), + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index aa7ee2fb..67e9b189 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -11,6 +11,7 @@ include include + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{HOME}/.local/ rw, diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo index d0a492e2..dce3160a 100644 --- a/apparmor.d/groups/_full/default-sudo +++ b/apparmor.d/groups/_full/default-sudo @@ -56,6 +56,8 @@ profile default-sudo @{exec_path} { /etc/sudoers r, /etc/sudoers.d/{,*} r, + / r, + /var/db/sudo/lectured/ r, /var/lib/extrausers/shadow r, /var/lib/sudo/lectured/ r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 5568a806..19696bdb 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -18,6 +18,7 @@ include @{exec_path} = @{lib}/systemd/systemd profile systemd-user flags=(attach_disconnected,mediate_deleted) { include + include include include include diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index c966d179..f9102114 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -90,7 +90,7 @@ profile discord @{exec_path} { /etc/fstab r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + deny @{sys}/devices/virtual/tty/tty@{int}/active r, # To remove the following error: # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied @{sys}/devices/@{pci}/irq r, diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index f5a1d874..6e97257b 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -70,7 +70,7 @@ profile freetube @{exec_path} { owner @{user_share_dirs} r, - deny @{sys}/devices/virtual/tty/tty0/active r, + deny @{sys}/devices/virtual/tty/tty@{int}/active r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, # To remove the following error: # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index 441ffa35..a090900f 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -62,7 +62,7 @@ profile signal-desktop @{exec_path} { @{sys}/devices/@{pci}/{irq,vendor,device} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - @{sys}/devices/virtual/tty/tty[0-9]/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/fs/cgroup/** r, @{PROC}/ r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 92b145df..6b338c95 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -53,8 +53,9 @@ profile plymouthd @{exec_path} { @{sys}/firmware/acpi/bgrt/{,*} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{PROC}/cmdline r, @{PROC}/1/cmdline r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/printk r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 27a77f8b..4d5a416d 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -51,6 +51,7 @@ profile xrdb @{exec_path} { owner @{HOME}/.xsession-errors w, /dev/tty rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 01d94fd2..46fc85a2 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -85,7 +85,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 729e9fbb..b8cf47cc 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -59,7 +59,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/{vendor,device,class,config,resource,irq} r, @{sys}/devices/system/cpu/** r, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/sys/fs/inotify/max_user_watches r, diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak index 8f392b83..88cef42e 100644 --- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak +++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak @@ -13,7 +13,8 @@ profile systemd-generator-environment-flatpak @{exec_path} { @{exec_path} mr, - @{bin}/flatpak rix, + @{bin}/{,ba,da}sh rix, + @{bin}/flatpak rix, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 26096133..ba689218 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -99,7 +99,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{sys}/class/power_supply/ r, @{sys}/devices/** r, @{sys}/devices/**/brightness rw, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 1501f56e..d4bada41 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -21,9 +21,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, - owner @{run}/systemd/journal/socket w, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/notify rw, + owner @{run}/systemd/journal/socket w, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index d8c217c0..968e96aa 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -12,12 +12,14 @@ profile systemd-tty-ask-password-agent @{exec_path} { include include - audit capability net_admin, + capability dac_override, + capability net_admin, + capability sys_resource, signal (receive) set=(term cont) peer=default, signal (receive) set=(term cont) peer=logrotate, - @{exec_path} mr, + @{exec_path} mrix, @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, @@ -25,6 +27,9 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{PROC}/@{pids}/stat r, + @{sys}/devices/virtual/tty/console/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 90029673..de7c877c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -49,6 +49,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/less rPx -> child-pager, @{bin}/ln rix, @{bin}/logger rix, + @{bin}/ls rix, @{bin}/lvm rPx, @{bin}/mknod rPx, @{bin}/more rPx -> child-pager, @@ -58,13 +59,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/pager rPx -> child-pager, @{bin}/perl rix, @{bin}/readlink rix, + @{bin}/rm rix, @{bin}/sed rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rix, @{bin}/touch rix, @{bin}/unshare rix, + @{bin}/wc rix, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index e2c2b23b..c650fed4 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -70,7 +70,7 @@ profile deltachat-desktop @{exec_path} { # (#FIXME#) deny @{sys}/bus/pci/devices/ r, - deny @{sys}/devices/virtual/tty/tty0/active r, + deny @{sys}/devices/virtual/tty/tty@{int}/active r, # no new privs @{bin}/xdg-settings rPx, diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode index 92d76fb3..ffd2d3e6 100644 --- a/apparmor.d/profiles-a-f/edid-decode +++ b/apparmor.d/profiles-a-f/edid-decode @@ -12,7 +12,7 @@ profile edid-decode @{exec_path} { @{exec_path} mr, - @{sys}/devices/@{pci}/drm/card[0-9]/*/edid r, + @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, include if exists } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 3c929c90..840eeb86 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -99,7 +99,7 @@ profile hw-probe @{exec_path} { @{sys}/class/power_supply/ r, @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/@{pci}/drm/card[0-9]/*/edid r, + @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/**/power_supply/*/uevent r, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/profiles-m-r/mkswap index 53d145ba..c3cb2c66 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -12,9 +12,10 @@ profile mkswap @{exec_path} { include include + capability mknod, + @{exec_path} mr, - # SWAP file common locations owner /swapfile rw, owner /swap/swapfile rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index b828f486..ce817770 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -15,6 +15,7 @@ profile snapd @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 5fbd589e..517d348b 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -176,7 +176,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) @{sys}/devices/virtual/dmi/id/product_{name,version} r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/ r, - @{sys}/devices/virtual/tty/tty[0-9]/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/kernel/ r, @{sys}/power/suspend_stats/success rk,