diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index c99dff28..67d0ca1a 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -120,12 +120,7 @@ owner @{chromium_config_dirs}/** rwk, owner @{chromium_config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, - owner @{chromium_cache_dirs}/{,**/} rw, - owner @{chromium_cache_dirs}/*/**/{*-,}index rw, - owner @{chromium_cache_dirs}/*/**/@{hex}_? rw, - owner @{chromium_cache_dirs}/*/**/todelete_* rw, - owner @{chromium_cache_dirs}/PnaclTranslationCache/index rw, - owner @{chromium_cache_dirs}/PnaclTranslationCache/data_[0-9]*[0-9] rw, + owner @{chromium_cache_dirs}/{,**} rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index 2bb0b4a8..ab2da5ee 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -9,3 +9,5 @@ owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, + + owner /tmp/dbus-[0-9a-zA-Z]* rw, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 41bf99c3..e8e2209f 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -17,6 +17,8 @@ profile evolution-alarm-notify @{exec_path} { include include + network netlink raw, + @{exec_path} mr, /usr/share/evolution-data-server/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 4336fb91..317c97ce 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -15,6 +15,9 @@ profile gnome-disks @{exec_path} { @{exec_path} mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8c8e00ec..3973ccf6 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -559,11 +559,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{user_music_dirs}/**/*.jpg r, + owner @{user_games_dirs}/**/*.{png,jpg} r, + owner @{user_music_dirs}/**/*.{png,jpg} r, - owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/.goutputstream{,*} rw, + owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, + owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 14eaddfe..02a13e73 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -35,7 +35,7 @@ profile mullvad-gui @{exec_path} { "/opt/Mullvad VPN/*.so*" mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gsettings rPx, + /{usr/,}bin/gsettings rix, /{usr/,}bin/xdg-open rPx, "/opt/Mullvad VPN/{,**}" r, @@ -47,7 +47,6 @@ profile mullvad-gui @{exec_path} { /var/lib/dbus/machine-id r, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, - owner @{user_cache_dirs}/dconf/user rw, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index 24d9774c..ec60f8d0 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -19,7 +19,7 @@ profile molly-guard @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/hostname rix, - /{usr/,}bin/pgrep rix, + /{usr/,}bin/{,e,p}grep rix, /{usr/,}bin/run-parts rix, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/tr rix, diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index b295e992..fb00ea2c 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -12,13 +12,6 @@ profile sgdisk @{exec_path} { include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) - # - # Warning: The kernel is still using the old partition table. - # The new table will be used at the next reboot or after you - # run partprobe(8) or kpartx(8) - # The operation has completed successfully. capability sys_admin, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 877b5f70..fa70ef94 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -98,9 +98,10 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}{s,}bin/mkfs.btrfs rPx, /{usr/,}{s,}bin/mkfs.ext{2,3,4} rPx, /{usr/,}{s,}bin/mkfs.fat rPx, + /{usr/,}{s,}bin/sfdisk rPx, + /{usr/,}{s,}bin/sgdisk rPx, /{usr/,}bin/eject rPx, /{usr/,}bin/ntfs-3g rPx, - /{usr/,}{s,}bin/sfdisk rPx, /{usr/,}bin/ntfsfix rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemd-escape rPx,