diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 067a238e..5ee66691 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -30,8 +30,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/test rix, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/gdbus rix, + /{usr/,}bin/test rix, + /{usr/,}bin/touch rix, /{usr/,}{s,}bin/dpkg-preconfigure rPx, /{usr/,}{s,}bin/localepurge rPx, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 2d9a2afe..a60e4603 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -27,6 +27,7 @@ profile apt-systemd-daily @{exec_path} { /{usr/,}bin/flock rix, /{usr/,}bin/grep rix, /{usr/,}bin/gzip rix, + /{usr/,}bin/ls rix, /{usr/,}bin/mv rix, /{usr/,}bin/rm rix, /{usr/,}bin/savelog rix, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 6fe7210b..177a69bd 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -118,6 +118,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 7804b110..95cb1536 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -20,7 +20,9 @@ profile firefox-pingsender @{exec_path} { owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw, - # file_inherit + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 3340a8a8..39025957 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -15,6 +15,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/machine-id r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 8685c80e..23f43557 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -32,6 +32,7 @@ profile ibus-extension-gtk3 @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, + /etc/machine-id r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 3d6d6d57..ba452812 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -20,6 +20,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /usr/share/locale/locale.alias r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index acb76971..b36b22cf 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -20,6 +20,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/machine-id r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index 2a7d03ae..b9a49e68 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,7 +13,7 @@ profile fc-list @{exec_path} { include include - /{usr/,}bin/fc-list mr, + @{exec_path} mr, include if exists } diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 28751b5c..4db26964 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -32,6 +33,8 @@ profile xrdb @{exec_path} { owner /tmp/xauth-[0-9]*-_[0-9] r, owner /tmp/kcminit.* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 8cec4f89..e535c2df 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -25,6 +25,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xkbcomp rPx, /usr/share/egl/{,**} r, + /usr/share/fonts/X11/{,**} r, /usr/share/X11/xkb/rules/evdev r, owner /tmp/server-[0-9]*.xkm rwk, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 515e1acb..7af35a3d 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 01270d59..0490d755 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -11,6 +11,7 @@ profile gnome-calendar @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 4104f53e..9d2f4245 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -40,8 +40,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/locale rix, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, - /{usr/,}lib/gnome-control-center-goa-helper rPx, - /{usr/,}lib/gnome-control-center-print-renderer rPx, + @{libexec}/gnome-control-center-goa-helper rPx, + @{libexec}/gnome-control-center-print-renderer rPx, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/backgrounds/gnome/* r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 9aafa1c7..4da0a80b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -15,6 +15,7 @@ profile gnome-control-center-print-renderer @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 5184c079..2d291652 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -56,7 +56,5 @@ profile gnome-music @{exec_path} { owner @{PROC}/@{pid}/mounts r, - /dev/shm/ r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 29c4937a..8d609ba3 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -36,9 +36,9 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/lib/app-info/ w, /var/lib/app-info/yaml/ r, - /var/lib/app-info/yaml/*_Components-*.yml.gz w, + /var/lib/app-info/yaml/*.yml.gz w, /var/lib/apt/lists/ r, - /var/lib/apt/lists/*_Components-*.gz r, + /var/lib/apt/lists/*.gz r, /var/lib/flatpak/appstream/{,**} r, /var/lib/swcatalog/ rw, /var/lib/swcatalog/icons/{,**} rw, diff --git a/apparmor.d/profiles-a-f/child-pager b/apparmor.d/profiles-a-f/child-pager index 0a883be7..7249cbbf 100644 --- a/apparmor.d/profiles-a-f/child-pager +++ b/apparmor.d/profiles-a-f/child-pager @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is @@ -28,14 +28,11 @@ profile child-pager { /{usr/,}bin/less mr, /{usr/,}bin/more mr, - @{user_cache_dirs}/lesshs* rw, - owner /root/.lesshs* rw, - - # Display properly on different host terminals @{system_share_dirs}/terminfo/{,**} r, - # For shell pwd - /root/ r, + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{user_cache_dirs}/lesshs* rw, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index f0b1316e..2e60584e 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -27,6 +27,7 @@ profile irqbalance @{exec_path} { @{sys}/devices/system/node/node[0-9]*/{cpumap,meminfo} r, @{PROC}/interrupts r, + @{PROC}/irq/[0-9]*/node r, @{PROC}/irq/[0-9]*/smp_affinity rw, include if exists diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 7b9b433a..035286b2 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -42,7 +42,6 @@ profile mono-sgen @{exec_path} { owner /tmp/*.* rw, owner /tmp/CASESENSITIVETEST* rw, owner /dev/shm/mono.* rw, - /dev/shm/ r, @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/pci[0-9]*/**/vendor r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 9f9a510b..c72e1b6b 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -14,10 +14,10 @@ profile pkcs11-register @{exec_path} { /etc/opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt r, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, - owner @{HOME}/.thunderbird/*/pkcs11.txt r, + owner @{HOME}/.thunderbird/*/pkcs11.txt rw, owner @{HOME}/.thunderbird/profiles.ini r, include if exists diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index e44f2093..75eec8ad 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -26,7 +26,7 @@ profile wireplumber @{exec_path} { /usr/share/spa-*/bluez[0-9]*/{,*} r, /usr/share/wireplumber/{,**} r, - /var/lib/gdm/.local/state/wireplumber/{,**} r, + /var/lib/gdm/.local/state/wireplumber/{,**} rw, owner @{HOME}/.local/state/ w, owner @{HOME}/.local/state/wireplumber/{,**} rw,