diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index b67f4c8a..de381ebc 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,6 +13,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include + capability audit_write, capability setgid, capability setuid, capability sys_resource, @@ -45,26 +46,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /usr/share/dbus-1/{,**} r, /usr/share/defaults/**.conf r, - owner @{user_share_dirs}/dbus-1/{,**} r, - @{user_share_dirs}/icc/{,edid-*} r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/oom_score_adj rw, - @{PROC}/@{pids}/cmdline r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/module/apparmor/parameters/enabled r, - - @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9]*.ref rw, - @{run}/systemd/users/@{uid} r, - owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, - owner @{run}/user/@{uid}/dbus-1/ rw, - owner @{run}/user/@{uid}/dbus-1/services/ rw, - # Extra rules for GDM /var/lib/gdm/.local/share/icc/ r, /var/lib/gdm/.local/share/icc/edid-*.icc r, @@ -73,12 +54,39 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/dbus-1/{,**} r, /var/lib/flatpak/app/**/export/share/dbus-1/services/{,**} r, - /dev/dri/card[0-9]* rw, - /dev/input/event[0-9]* rw, + # Extra rules for Snap + /var/lib/snapd/dbus-1/services/ r, + /var/lib/snapd/dbus-1/system-services/ r, + + owner @{user_share_dirs}/dbus-1/{,**} r, + @{user_share_dirs}/icc/{,edid-*} r, owner /tmp/dbus-[0-9a-zA-Z]* rw, - # file_inherit + owner @{run}/user/@{uid}/bus w, + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, + owner @{run}/user/@{uid}/dbus-1/ rw, + owner @{run}/user/@{uid}/dbus-1/services/ rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/users/@{uid} r, + + @{sys}/kernel/security/apparmor/.access rw, + @{sys}/kernel/security/apparmor/features/dbus/mask r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/cmdline r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/dri/card[0-9]* rw, + /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 8e7330cf..80b7e6f1 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -18,6 +18,7 @@ profile dbus-run-session @{exec_path} { /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/gnome-session rix, + /{usr/,}bin/gnome-shell rPx, /{usr/,}bin/gsettings rix, @{libexec}/gnome-session-binary rPx, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 4a6812ee..253deed0 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -16,15 +16,20 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}lib/ibus/ibus-* rPx, + /{usr/,}lib/ibus/ibus-* rPx, + @{libexec}/ibus-* rPx, /usr/share/ibus/{,**} r, + /usr/share/ibus-table/tables/ r, + + /etc/machine-id r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/{,**} rw, owner @{user_cache_dirs}/ibus/{,**} rw, - /var/lib/gdm/.config/ibus/{,**} rw, - /var/lib/gdm/.cache/ibus/{,**} rw, + /var/lib/gdm{3,}/.config/ibus/{,**} rw, + /var/lib/gdm{3,}/.cache/ibus/{,**} rw, + /var/lib/gdm{3,}/.config/ibus/bus/ r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 14bfbbef..28374773 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -30,6 +30,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /usr/share/pipewire/client.conf r, /usr/share/pipewire/pipewire-pulse.conf r, + /var/lib/gdm/.config/pulse/cookie rwk, + owner @{run}/user/@{uid}/pulse/pid w, @{sys}/devices/virtual/dmi/id/product_name r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index e4d804aa..4e9e67fe 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -35,6 +35,7 @@ profile polkit-agent-helper @{exec_path} { owner @{HOME}/.xsession-errors w, @{run}/faillock/[a-zA-z0-9]* rwk, + @{run}/systemd/userdb/io.systemd.DynamicUser w, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index fc0af8a1..289496ba 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -35,6 +35,8 @@ profile polkitd @{exec_path} { # System rules /etc/polkit-1/rules.d/ r, /etc/polkit-1/rules.d/[0-9][0-9]-*.rules r, + /etc/polkit-1/localauthority/{,**} r, + /etc/polkit-1/localauthority.conf.d/{,**} r, # Vendor rules /usr/share/polkit-1/rules.d/ r, @@ -46,9 +48,11 @@ profile polkitd @{exec_path} { /usr/share/polkit-1/actions/*.policy.choice r, owner /var/lib/polkit-1/.cache/ rw, + /var/lib/polkit-1/localauthority/{,**} r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, + @{run}/systemd/userdb/io.systemd.DynamicUser w, # Silencer deny /.cache/ rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 1c25e819..cc70c3bc 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -45,6 +45,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/user rw, owner @{PROC}/@{pids}/cgroup r, + @{PROC}/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 18ef020e..c5075fb3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -14,12 +14,20 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/ubuntu/applications/ r, /usr/share/X11/xkb/{,**} r, + /etc/gnome/defaults.list r, + + /var/lib/snapd/desktop/icons/{,**} r, + + owner @{user_share_dirs}/ r, + owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index fbfbc542..7c0c975d 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -20,6 +20,8 @@ profile xdg-document-portal @{exec_path} { / r, owner @{user_share_dirs}/flatpak/db/documents r, + + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/doc/ rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index f2ab307e..e1e49b08 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -20,6 +20,8 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/evolution-data-server/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/ubuntu/applications/ r, + /usr/share/zoneinfo-icu/{,**} r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 85bb1aa4..d7e91d94 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -41,13 +41,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/gnome-keyring-daemon rPx, - @{libexec}/gdm-wayland-session rPx, - @{libexec}/gdm-x-session rPx, - /etc/gdm/{Pre,Post}Session/Default rix, + /{usr/,}bin/gnome-keyring-daemon rPx, + @{libexec}/gdm-wayland-session rPx, + @{libexec}/gdm-x-session rPx, + /etc/gdm{3,}/{Pre,Post}Session/Default rix, + /etc/default/locale r, /etc/environment r, - /etc/gdm/custom.conf r, + /etc/gdm{3,}/custom.conf r, /etc/locale.conf r, /etc/machine-id r, /etc/motd r, @@ -64,9 +65,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw, owner @{PROC}/@{pid}/uid_map r, + @{PROC}/1/limits r, + @{PROC}/keys r, /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 2af9c93c..d906f01e 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -22,27 +22,38 @@ profile gdm-wayland-session @{exec_path} { @{exec_path} mr, + # It can run hooks, how to handle them nicely? rCx? them mostly include if exist + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/env rix, /{usr/,}bin/gnome-session rix, /{usr/,}bin/grep rix, /{usr/,}bin/gsettings rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/locale-check rix, + /{usr/,}bin/sed rix, /{usr/,}bin/tty rix, + /{usr/,}bin/gettext rix, /{usr/,}bin/zsh rix, /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-run-session rPx, + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/flatpak rPUx, @{libexec}/gnome-session-binary rPx, - /etc/gdm/custom.conf r, + /usr/share/im-config/{,**} r, + + /etc/default/im-config r, + /etc/gdm{3,}/custom.conf r, /etc/machine-id r, /etc/shells r, + /etc/X11/Xsession.d/*im-config_launch r, /usr/share/gdm/gdm.schemas r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - @{run}/gdm/custom.conf r, - + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, @{run}/gdm/custom.conf r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 773a73b9..97ddb75d 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -33,6 +33,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/mkdir rix, /{usr/,}bin/touch rix, /{usr/,}bin/gsettings rix, + /{usr/,}bin/session-migration rix, /{usr/,}bin/xdg-user-dirs-gtk-update rix, @{libexec}/gnome-session-check-accelerated rix, @{libexec}/gnome-session-check-accelerated-gl-helper rix, @@ -42,16 +43,21 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/aa-notify rPx, /{usr/,}bin/blueman-applet rPx, + /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}bin/firewall-applet rPUx, /{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}bin/gnome-shell rPx, + /{usr/,}bin/im-launch rPx, /{usr/,}bin/pkcs11-register rPx, + /{usr/,}bin/snap rPUx, /{usr/,}bin/start-pulseaudio-x11 rPx, /{usr/,}bin/xbrlapi rPx, + @{libexec}/at-spi-bus-launcher rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @{libexec}/gsd-* rPx, - /usr/share/applications//{,**} r, + /usr/share/applications/{,**} r, + /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/autostart/{,*.desktop} r, @@ -59,19 +65,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/glvnd/egl_vendor.d/ r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome/autostart/{,*.desktop} r, /usr/share/icons/{,**} r, - /usr/share/dconf/profile/gdm r, /usr/share/mime/mime.cache r, + /usr/share/ubuntu/applications/{,*.desktop} r, /usr/share/X11/xkb/{,**} r, + /etc/gnome/defaults.list r, /etc/xdg/autostart/{,*.desktop} r, - /var/lib/gdm/.config/dconf/user r, - /var/lib/gdm/.cache/mesa_shader_cache/index rw, - /var/lib/gdm/.config/gnome-session/ rw, - /var/lib/gdm/.config/gnome-session/saved-session/ rw, - /var/lib/gdm/.local/share/applications/{,**} r, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.config/gnome-session/ rw, + /var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw, + /var/lib/gdm{3,}/.local/share/applications/{,**} r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/flatpak/exports/share/applications/{,**} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, @@ -83,6 +93,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{user_share_dirs}/applications/ r, + owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, @@ -108,5 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/tty[0-9]* rw, + include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index df3c9ce0..bf073f98 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -12,7 +12,9 @@ profile gnome-session-ctl @{exec_path} { @{exec_path} mr, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gnome-session-leader-fifo r, + @{run}/user/@{uid}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 426f7389..2e71f77c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -44,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{libexec}/polkit-1/polkit* rPx, @{libexec}/* rPUx, + /opt/*/**/*.png r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, @@ -57,29 +58,40 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/libinput/ r, /usr/share/libinput/[0-9][0-9]-*.quirks r, /usr/share/libwacom/{,*.stylus,*.tablet} r, + /usr/share/plymouth/*.png r, + /usr/share/ubuntu/applications/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/xsessions/{,*.desktop} r, - /opt/*/**/*.png r, /.flatpak-info r, /etc/fstab r, /etc/machine-id r, + /etc/xdg/menus/gnome-applications.menu r, /var/lib/dbus/machine-id r, - /var/lib/gdm/.config/dconf/user r, - /var/lib/gdm/.config/ibus/ rw, - /var/lib/gdm/.config/ibus/bus/ rw, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, - /var/lib/gdm/.config/pulse/ r, - /var/lib/gdm/.config/pulse/client.conf r, - /var/lib/gdm/.config/pulse/cookie rwk, - /var/lib/gdm/.local/share/applications/{,**} r, - /var/lib/gdm/.local/share/gnome-shell/ rw, + /var/lib/gdm{3,}/.cache/ w, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.config/ibus/ rw, + /var/lib/gdm{3,}/.config/ibus/bus/ rw, + /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, + /var/lib/gdm{3,}/.config/pulse/ r, + /var/lib/gdm{3,}/.config/pulse/client.conf r, + /var/lib/gdm{3,}/.config/pulse/cookie rwk, + /var/lib/gdm{3,}/.local/share/applications/{,**} r, + /var/lib/gdm{3,}/.local/share/gnome-shell/ rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r, + /var/lib/snapd/desktop/icons/{,**} r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -91,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @@ -103,13 +116,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, @@ -144,30 +158,34 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, - @{sys}/class/net/ r, - @{sys}/class/input/ r, @{sys}/class/hwmon/ r, + @{sys}/class/input/ r, + @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/**/uevent r, - @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, - @{sys}/devices/**/power_supply/**/{type,online} r, - @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, + @{sys}/devices/**/power_supply/**/{type,online} r, @{sys}/devices/pci[0-9]*/**/boot_vga r, + @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, + @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{pid}/cmdline r, + @{PROC}/ r, @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/stat r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index a41f6aae..09287690 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -15,6 +15,7 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/zoneinfo-icu/{,**} r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e0b5e858..f42c703e 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -37,6 +37,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/doc/ rw, @{run}/systemd/sessions/[0-9]*{,.ref} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 6ea5ce24..6b47c216 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -26,12 +26,16 @@ profile gnome-terminal-server @{exec_path} { /usr/share/X11/xkb/{,**} r, /var/lib/flatpak/exports/share/icons/{,**} r, + /var/lib/snapd/desktop/icons/{,**} r, /etc/shells r, + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner /tmp/#[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index b2537f56..a6f7d510 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -26,9 +26,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { /usr/share/X11/xkb/** r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/lib/gdm/.config/dconf/user r, - /var/lib/gdm/.local/share/icc/ rw, - /var/lib/gdm/.local/share/icc/edid-*.icc rw, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.local/share/icc/ rw, + /var/lib/gdm{3,}/.local/share/icc/edid-*.icc rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index b43be95b..e7d51d5b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -22,7 +22,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index aa6dba36..e683f0a8 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -24,8 +24,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /var/lib/gdm/.config/dconf/user r, - /var/lib/gdm/.config/.gsd-keyboard.settings-ported* rw, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.config/.gsd-keyboard.settings-ported* rw, owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index e39cee49..fca97800 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,6 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -23,6 +24,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/user rw, /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 5449e6bb..83a7520c 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -22,8 +22,9 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - /var/lib/gdm/.local/share/sounds/ rw, - /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm{3,}/.local/share/sounds/ rw, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{user_share_dirs}/sounds/ rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 6f1c1a7b..9bf870d8 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -26,15 +26,21 @@ profile gsd-xsettings @{exec_path} { @{exec_path} mr, + /{usr/,}bin/cat rix, + /{usr/,}bin/which{,.debianutils} rix, + + /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/busctl rPx, /{usr/,}bin/pactl rPx, /{usr/,}bin/xrdb rPx, /{usr/,}lib/ibus/ibus-x11 rPx, + @{libexec}/ibus-x11 rPx, /usr/share/dconf/profile/gdm r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gdm/greeter-dconf-defaults r, + /etc/X11/Xsession.options r, /etc/xdg/Xwayland-session.d/ r, /etc/xdg/Xwayland-session.d/* rix, @@ -47,10 +53,22 @@ profile gsd-xsettings @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/systemd/users/@{uid}/ r, + @{run}/systemd/sessions/[0-9]* r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, /dev/tty[0-9]* rw, + profile run-parts { + include + + /{usr/,}bin/run-parts mr, + + /etc/X11/Xresources/ r, + + } + include if exists } diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 7d2f80d6..070db186 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -22,17 +22,22 @@ profile tracker-extract @{exec_path} { @{exec_path} mr, /usr/share/applications/*.desktop r, + /usr/share/dconf/profile/gdm r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/mime/mime.cache r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, - /usr/share/hwdata/*.ids r, /etc/libva.conf r, + /var/lib/gdm{3,}/.cache/ rw, + /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/*/{,**} r, @@ -42,6 +47,7 @@ profile tracker-extract @{exec_path} { owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, @{run}/blkid/blkid.tab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index eb5ff217..921f8b5c 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,20 +9,33 @@ include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include + include # TODO: FIXME: See if we keep them like this. include include + include include include @{exec_path} mr, - /usr/share/tracker3/{,**} r, - /usr/share/tracker3-miners/{,**} r, + /usr/share/applications/{,mimeinfo.cache,*.list} r, + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/applications/{,mimeinfo.cache} r, /usr/share/mime/mime.cache r, + /usr/share/tracker3-miners/{,**} r, + /usr/share/tracker3/{,**} r, + /usr/share/ubuntu/applications/ r, + + /etc/fstab r, /var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r, + /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, + + /var/lib/gdm{3,}/ r, + /var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner /var/tmp/etilqs_[0-9a-f]* rw, # Allow to search user files diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 56c574fc..f6102481 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/NetworkManager +@{exec_path} = /{usr/,}{,s}bin/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 12d99659..4fbf1b5e 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed -profile systemd-hostnamed @{exec_path} { +profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 47f745f3..65832bbd 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-localed -profile systemd-localed @{exec_path} { +profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 56d3b9e7..55a79fc0 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -7,14 +7,16 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-logind -profile systemd-logind @{exec_path} flags=(complain) { +profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { include + include include include include capability chown, capability dac_override, + capability dac_read_search, capability fowner, capability sys_admin, capability sys_tty_config, @@ -42,6 +44,10 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, + @{run}/udev/data/+backlight:intel_backlight r, + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci* r, @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @@ -52,46 +58,35 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+backlight:intel_backlight r, - @{run}/udev/data/+pci* r, - + @{run}/systemd/inhibit/ rw, + @{run}/systemd/inhibit/.#* rw, + @{run}/systemd/inhibit/[0-9]*{,.ref} rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/inhibit/ rw, - @{run}/systemd/inhibit/[0-9]*{,.ref} rw, - @{run}/systemd/inhibit/.#* rw, @{run}/systemd/sessions/ rw, - @{run}/systemd/sessions/[0-9]*{,.ref} rw, @{run}/systemd/sessions/.#* rw, - @{run}/systemd/users/ rw, - @{run}/systemd/users/@{uid} rw, - @{run}/systemd/users/.#* rw, + @{run}/systemd/sessions/[0-9]*{,.ref} rw, @{run}/systemd/userdb/ r, + @{run}/systemd/users/ rw, + @{run}/systemd/users/.#* rw, + @{run}/systemd/users/@{uid} rw, - /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) - /dev/dri/card[0-9]* rw, - /dev/tty[0-9]* rw, - /dev/nvme* r, - /dev/shm/{,**/} r, - /dev/mqueue/ r, - - @{sys}/module/vt/parameters/default_utf8 r, - @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/fs/cgroup/memory.max r, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, - @{sys}/devices/**/{uevent,enabled,status} r, - @{sys}/devices/**/brightness rw, + @{run}/systemd/journal/socket rw, + @{run}/systemd/notify rw, @{sys}/class/drm/ r, - @{sys}/power/{state,resume_offset,resume,disk} r, - - @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/devices/**/{uevent,enabled,status} r, + @{sys}/devices/**/brightness rw, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, + @{sys}/fs/cgroup/memory.max r, + @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/module/vt/parameters/default_utf8 r, + @{sys}/power/{state,resume_offset,resume,disk} r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/comm r, @@ -103,5 +98,12 @@ profile systemd-logind @{exec_path} flags=(complain) { @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, + /dev/dri/card[0-9]* rw, + /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/nvme* r, + /dev/shm/{,**/} rw, + /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 3c2c017f..1e227632 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -7,8 +7,9 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-timedated -profile systemd-timedated @{exec_path} { +profile systemd-timedated @{exec_path} flags=(attach_disconnected) { include + include include capability sys_time, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 15168efd..1eb2b263 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -28,10 +28,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, owner @{run}/systemd/journal/socket w, - owner @{run}/systemd/notify rw, owner @{run}/systemd/timesync/synchronized rw, - @{run}/systemd/netif/state r, @{run}/resolvconf/*.conf r, + @{run}/systemd/netif/state r, + @{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 196007a5..0a6a24fc 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -11,8 +11,8 @@ include @{exec_path} += /{usr/,}lib/systemd/systemd-udevd profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { include - include include + include include capability chown, @@ -49,13 +49,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}{s,}bin/* rPUx, - /{usr/,}lib/udev/* rPUx, - /{usr/,}lib/systemd/systemd-* rPx, - /{usr/,}lib/crda/* rPUx, - /{usr/,}lib/gdm-runtime-config rPx, - /{usr,/}lib/pm-utils/power.d/* PUx, - - /usr/share/hplip/config_usb_printer.py rPUx, + /{usr,/}lib/pm-utils/power.d/* rPUx, + /{usr,/}lib/snapd/snap-device-helper rPx, # TODO: but later + /{usr/,}lib/crda/* rPUx, + /{usr/,}lib/gdm-runtime-config rPx, + /{usr/,}lib/systemd/systemd-* rPx, + /{usr/,}lib/udev/* rPUx, + /usr/share/hplip/config_usb_printer.py rPUx, /etc/console-setup/*.sh rPUx, @@ -83,20 +83,18 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { @{run}/udev/** rw, @{run}/systemd/seats/seat[0-9]* r, + @{run}/systemd/notify rw, @{sys}/** rw, - /dev/ rw, - /dev/** rwk, - owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/devices r, - # file_inherit - owner @{HOME}/.xsession-errors w, + /dev/ rw, + /dev/** rwk, deny /apparmor/.null rw,