From 1655a9f5ab0956142d78a8795d491a9e836d1ad9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Aug 2024 18:30:39 +0100 Subject: [PATCH] feat(profile): more kde integration. fix #442 --- apparmor.d/abstractions/bash-strict | 1 + .../groups/akonadi/akonadi_birthdays_resource | 1 + .../groups/akonadi/akonadi_maildir_resource | 2 + .../akonadi/akonadi_unifiedmailbox_agent | 1 + .../groups/browsers/firefox-kmozillahelper | 5 ++ .../groups/display-manager/xdm-xsession | 5 +- apparmor.d/groups/freedesktop/pulseaudio | 2 + apparmor.d/groups/kde/kaccess | 3 ++ apparmor.d/groups/kde/kde-powerdevil | 3 +- apparmor.d/groups/kde/kded | 15 ++++-- apparmor.d/groups/kde/konsole | 5 ++ apparmor.d/groups/kde/ksmserver | 4 +- apparmor.d/groups/kde/kwin_x11 | 2 +- apparmor.d/groups/kde/okular | 54 ++++++++++++++++++- apparmor.d/groups/kde/plasmashell | 3 ++ apparmor.d/groups/kde/sddm-greeter | 2 +- apparmor.d/groups/network/nm-dispatcher | 5 +- apparmor.d/groups/systemd/systemd-udevd | 7 +-- apparmor.d/profiles-a-f/btrfs | 16 +++--- apparmor.d/profiles-g-l/issue-generator | 1 + apparmor.d/profiles-m-r/pass | 8 +-- apparmor.d/profiles-m-r/pinentry-qt | 1 + apparmor.d/profiles-s-z/su | 2 + apparmor.d/profiles-s-z/xauth | 1 + apparmor.d/profiles-s-z/xclip | 3 +- 25 files changed, 120 insertions(+), 32 deletions(-) diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index eb4f6523..832f2add 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -24,6 +24,7 @@ owner @{HOME}/.alias r, owner @{HOME}/.bash_aliases r, + owner @{HOME}/.bash_complete r, owner @{HOME}/.bash_history rw, owner @{HOME}/.bash_profile r, owner @{HOME}/.bashrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource index 14b354b7..70ff765b 100644 --- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource +++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource @@ -19,6 +19,7 @@ profile akonadi_birthdays_resource @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_birthdays_resourcerc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index a534c7aa..7340d58a 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -17,6 +17,8 @@ profile akonadi_maildir_resource @{exec_path} { /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + owner @{user_mail_dirs}/{,**} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r, diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent index 94c63a06..d8af9fa4 100644 --- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent +++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent @@ -17,6 +17,7 @@ profile akonadi_unifiedmailbox_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, + owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565 owner @{user_config_dirs}/akonadi_unifiedmailbox_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index b4202ed0..cac83b36 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -47,6 +47,11 @@ profile firefox-kmozillahelper @{exec_path} { owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + + owner @{user_share_dirs}/kservices5/ r, + owner @{user_share_dirs}/kservices5/searchproviders/ r, owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 962a97c3..346f0e5b 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -22,6 +22,7 @@ profile xdm-xsession @{exec_path} { @{bin}/cat rix, @{bin}/checkproc rix, @{bin}/dirname rix, + @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, @{bin}/grep rix, @@ -36,6 +37,7 @@ profile xdm-xsession @{exec_path} { @{bin}/tty rix, @{bin}/uname rix, @{bin}/whoami rix, + @{bin}/xmodmap rPUx, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @@ -53,7 +55,7 @@ profile xdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/sys.xsession rix, @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh rix, @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh rix, - @{HOME}/.xinitrc rPix, + @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -73,6 +75,7 @@ profile xdm-xsession @{exec_path} { /etc/sysconfig/* r, owner @{HOME}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{user_share_dirs}/sddm/xorg-session.log rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 5fc35613..029d7d4a 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -78,6 +78,8 @@ profile pulseaudio @{exec_path} { /etc/pulse/{,**} r, + / r, + owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{desktop_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index fb6a01c8..7d6e4867 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kaccess profile kaccess @{exec_path} { include + include include include include @@ -19,6 +20,8 @@ profile kaccess @{exec_path} { /usr/share/icons/{,**} r, + /etc/machine-id r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 09ebb0d7..64371caa 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -57,14 +57,15 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/class/i2c-dev/ r, @{sys}/class/usbmisc/ r, @{sys}/devices/ r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, @{sys}/devices/platform/**/i2c-@{int}/**/name r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 422fc103..64fa472b 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -12,10 +12,10 @@ profile kded @{exec_path} { include include include + include include include - include - include + include include include include @@ -31,7 +31,8 @@ profile kded @{exec_path} { ptrace (read), - signal (send) set=hup peer=xsettingsd, + signal send set=hup peer=xsettingsd, + signal send set=term peer=kioworker, #aa:dbus own bus=system name=com.redhat.NewPrinterNotification #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager @@ -54,6 +55,7 @@ profile kded @{exec_path} { @{bin}/plasma-welcome rPUx, @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, + @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, @{bin}/xsettingsd rPx, @@ -73,6 +75,7 @@ profile kded @{exec_path} { /etc/fstab r, /etc/xdg/accept-languages.codes r, + /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, @@ -83,6 +86,7 @@ profile kded @{exec_path} { / r, + owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, @@ -94,6 +98,7 @@ profile kded @{exec_path} { @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/breezerc r, @@ -125,20 +130,22 @@ profile kded @{exec_path} { owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma* r, owner @{user_config_dirs}/touchpadrc r, + owner @{user_config_dirs}/trashrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, - owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/kded{5,6}/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, + owner @{user_share_dirs}/user-places.xbel r, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 3151156a..359297e4 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -64,6 +64,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/konsole/** rwlk, owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/konsolestaterc rw, + owner @{user_state_dirs}/konsolestaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/konsolestaterc.lock rwk, + owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 858bc4b9..edfc3ade 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -16,11 +16,11 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - signal (send) set=(usr1,term) peer=kscreenlocker-greet, + signal send set=(usr1,term) peer=kscreenlocker_greet, ptrace (read) peer=kbuildsycoca5, - unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), + unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index a52a2233..8ee46455 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -50,7 +50,7 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/kwinoutputconfig.json r, + owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index d732ee0f..775491bd 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -11,27 +11,47 @@ include profile okular @{exec_path} { include include + include include + include include include + include include include include + network netlink raw, + + signal send set=term peer=kioworker, + @{exec_path} mr, @{bin}/ps2pdf rPUx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgcon rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{open_path} rPx -> child-open, + #aa:exec kioworker /usr/share/color-schemes/{,**} r, /usr/share/okular/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + /etc/xdg/baloofilerc r, + /etc/xdg/dolphinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, + + / r, + @{MOUNTS}/ r, + + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_cache_dirs}/okular/{,**} rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, @@ -39,22 +59,52 @@ profile okular @{exec_path} { owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, + owner @{user_share_dirs}/recently-used.xbel.lock rk, + owner @{user_share_dirs}/user-places.xbel r, - owner @{user_cache_dirs}/okular/{,**} rw, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/okularstaterc rw, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, profile gpg { include + include @{bin}/gpg{,2} mr, @{bin}/gpgcon mr, @{bin}/gpgsm mr, + owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, + owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/gnupg/ r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index fe79dccd..06a81602 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -90,6 +90,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /var/lib/AccountsService/icons/* r, + @{MOUNTS}/ r, + @{HOME}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -197,6 +199,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{PROC}/ r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/diskstats r, @{PROC}/loadavg r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index dba650f2..4872716f 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -49,7 +49,7 @@ profile sddm-greeter @{exec_path} { owner @{SDDM_HOME}/#@{int} mrw, owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, - owner @{HOME}/.face.icon r, + @{HOME}/.face.icon r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 9e2904a5..1a82fdbf 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -31,20 +31,21 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/chronyc rPUx, @{bin}/chown rix, + @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, @{bin}/grep rix, @{bin}/id rix, @{bin}/invoke-rc.d rCx -> invoke-rc, + @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, + @{bin}/python3.@{int} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 8b135199..fa096a35 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -89,15 +89,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /etc/systemd/network/ r, /etc/systemd/network/@{int2}-*.link r, - @{run}/udev/ rw, - @{run}/udev/** rwk, - @{run}/credentials/systemd-udev-load-credentials.service/ r, + @{run}/modprobe.d/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{run}/udev/ rw, + @{run}/udev/** rwk, + @{sys}/** rw, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index 45e50da9..41e6fff5 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -24,9 +24,15 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, / r, - /boot/ r, - /home/ r, /.snapshots/ r, + /boot/ r, + /boot/**/ r, + /home/ r, + /opt/ r, + /root/ r, + /srv/ r, + /usr/local/ r, + /var/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -44,10 +50,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/snapper-tools-*/ r, @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r, - - @{sys}/fs/btrfs/@{uuid}/exclusive_operation r, - @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r, - @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r, + + @{sys}/fs/btrfs/@{uuid}/** r, @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 57de7cab..60f5f22e 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -13,6 +13,7 @@ profile issue-generator @{exec_path} { @{exec_path} mr, + @{sh_path} r, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 7c4f697e..5bd85192 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -74,16 +74,10 @@ profile pass @{exec_path} { profile pkill { include - - capability sys_ptrace, - - ptrace read, + include @{bin}/pkill mr, - @{PROC}/@{pid}/cgroup r, - @{PROC}/tty/drivers r, - include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 1763bd96..93dc4ade 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 237d5ed0..d292cab8 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -28,6 +28,8 @@ profile su @{exec_path} { @{etc_ro}/default/su r, + @{HOME}/.xauth@{rand6} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index f051fdc0..ad57f861 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xauth profile xauth @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 378e8cae..9f82aff6 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -10,14 +10,13 @@ include @{exec_path} = @{bin}/xclip profile xclip @{exec_path} { include + include include network unix stream, @{exec_path} mr, - deny /dev/tty rw, - include if exists }