diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 977a7be8..aa1e8eff 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -7,7 +7,7 @@ ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex}/bus/systemctl/, + unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, @{bin}/systemctl mr, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index d7c68ac7..d7693690 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -30,8 +30,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system, - unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index f241df38..493b01ec 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{hex}/bus/apt/system, + unix (bind) type=stream addr=@@{hex16}/bus/apt/system, unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index b702eded..41fd348c 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -26,12 +26,12 @@ profile dpkg-deb @{exec_path} { owner /var/lib/dpkg/tmp.ci/ w, owner /var/lib/dpkg/tmp.ci/* w, + @{user_pkg_dirs}/** r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner @{user_pkg_dirs}/** r, - audit owner @{tmp}/dpkg-deb.* rw, - audit owner @{tmp}/dpkg-deb.*/ rw, - audit owner @{tmp}/dpkg-deb.*/* rw, + owner @{tmp}/dpkg-deb.@{rand6} rw, + owner @{tmp}/dpkg-deb.@{rand6}/ rw, + owner @{tmp}/dpkg-deb.@{rand6}/* rw, include if exists } diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 230b2966..533c9ca1 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -43,5 +43,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 582d7b19..0b696e32 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -53,6 +53,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { owner /dev/nvidia-caps/ w, owner /dev/nvidia-caps/nvidia-cap@{int} w, + /dev/tty@{int} rw, + profile kmod { include include @@ -62,9 +64,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{bin}/kmod mr, - # @{bin}/{,ba,da}sh ix, /etc/modprobe.d/{,*.conf} r, - # /etc/nvidia/{current,legacy*,tesla*}/*.conf r, + /etc/nvidia/{current,legacy*,tesla*}/*.conf r, # @{sys}/module/ipmi_devintf/initstate r, # @{sys}/module/ipmi_msghandler/initstate r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index cd38138a..c7d131fc 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -16,6 +16,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index a8ff71d1..9ca2e9b5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -70,6 +70,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, + owner @{HOME}/ r, owner @{HOME}/*/{,**} rw, owner @{tmp}/.goutputstream-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 5d11a8fd..604ed33d 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -46,7 +46,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, - unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system, + unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 59662566..36af6ac3 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -108,8 +108,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/tty@{int} rw, - - profile open { + + profile open flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index c4c22af1..6b88e8e5 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -33,5 +33,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 79387790..e84e8aa5 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -70,6 +70,7 @@ profile pacman @{exec_path} { @{bin}/groupadd rPx, @{bin}/gtk-query-immodules-{2,3}.0 rPx, @{bin}/gtk{,4}-update-icon-cache rPx, + @{bin}/iconvconfig rix, @{bin}/install-catalog rPx, @{bin}/install-info rPx, @{bin}/iscsi-iname rix, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index d851bcdb..13b3195b 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -53,7 +53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex}/bus/sshd/system, + unix (bind) type=stream addr=@@{hex16}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 18a2c634..dc2492eb 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -22,7 +22,7 @@ profile busctl @{exec_path} { ptrace (read), - unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl, + unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl, signal (send) set=(cont) peer=child-pager, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index a3855751..23f67af9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex}/bus/networkctl/system, + unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system, #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd # No label available diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index d37284ec..394d55bf 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -16,7 +16,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname - unix (bind) type=stream addr=@@{hex}/bus/systemd-hostnam/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index b994b658..be99033c 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -17,7 +17,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { # Needed? audit capability net_admin, - unix (bind) type=stream addr=@@{hex}/bus/systemd-localed/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 8239ad1c..ebd690bd 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { # mqueue r type=posix /, - unix (bind) type=stream addr=@@{hex}/bus/systemd-logind/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index d44b6c3b..c61b61ff 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -17,14 +17,14 @@ profile systemd-modules-load @{exec_path} { @{exec_path} mr, - @{sys}/module/*/initstate r, - /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, /etc/modules r, /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, + @{sys}/devices/@{pci}/config r, + @{sys}/module/*/initstate r, @{sys}/module/compression r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 019e1ff2..09e55674 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{hex}/bus/systemd-network/bus-api-network, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 9ac5669f..bbbfd1a1 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 9495cad1..4444601f 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{hex}/bus/systemd-timedat/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index f054748d..2c99029c 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync, unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index dcec46b1..c4c0a193 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -36,40 +36,29 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{coreutils_path} rix, @{bin}/*-print-pci-ids rix, @{bin}/alsactl rPUx, - @{bin}/cat rix, - @{bin}/chgrp rix, - @{bin}/chmod rix, - @{bin}/cut rix, @{bin}/dmsetup rPUx, @{bin}/ethtool rix, - @{bin}/issue-generator rPUx, + @{bin}/issue-generator rPx, @{bin}/kmod rPx, @{bin}/less rPx -> child-pager, - @{bin}/ln rix, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lvm rPx, - @{bin}/mknod rPx, + @{bin}/mknod rix, @{bin}/more rPx -> child-pager, @{bin}/multipath rPx, @{bin}/nfsrahead rix, - @{bin}/nohup rix, @{bin}/pager rPx -> child-pager, @{bin}/perl rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rix, - @{bin}/touch rix, @{bin}/unshare rix, - @{bin}/wc rix, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @@ -90,13 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /etc/nfs.conf rk, - /etc/udev/ r, - /etc/udev/udev.conf r, - /etc/udev/rules.d/ r, - /etc/udev/rules.d/*.rules r, - - /etc/udev/hwdb.d/ r, - /etc/udev/hwdb.d/[0-9][0-9]-*.hwdb r, + /etc/udev/{,**} r, /etc/udev/hwdb.bin rw, /etc/udev/.#hwdb.bin* rw, @@ -121,6 +104,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{PROC}/devices r, @{PROC}/driver/nvidia/gpus/ r, @{PROC}/driver/nvidia/gpus/*/information r, + @{PROC}/driver/nvidia/params r, @{PROC}/pressure/* r, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 7dc00c97..1ea94ec1 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} { network netlink raw, - unix (bind) type=stream addr=@@{hex}/bus/systemd-update-/, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 224123fa..f0c4d79d 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -23,7 +23,7 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - unix (bind) type=stream addr=@@{hex}/bus/systemd-user-ru/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 0e1568e8..f3ad9f1f 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -22,7 +22,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt @@ -90,7 +90,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex}/bus/systemctl/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 1faff284..529ef955 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -21,7 +21,7 @@ profile docker-proxy @{exec_path} { @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - + @{PROC}/sys/net/core/somaxconn r, include if exists diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 8ca83930..d551bbfc 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -14,6 +14,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, capability dac_read_search, capability mknod, capability setgid, diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index f512cd05..6341954a 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/fsck -profile fsck @{exec_path} { +profile fsck @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index f248ee7a..b23645f1 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -11,7 +11,6 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -33,8 +32,12 @@ profile login @{exec_path} flags=(attach_disconnected) { signal (send) set=(hup term), + unix type=stream addr=@@{hex16}/bus/login/system, + ptrace read, + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 339fc084..9a2178f6 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -56,8 +56,7 @@ profile mount @{exec_path} flags=(attach_disconnected) { @{run}/ r, owner @{run}/mount/ rw, - owner @{run}/mount/utab{,.*} rw, - owner @{run}/mount/utab.lock wk, + owner @{run}/mount/utab{,.*} rwk, /tmp/sanity-squashfs-@{int} rw, /tmp/syscheck-squashfs-@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 342fe1b5..a1a1f291 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -62,7 +62,10 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/{,**} rw, owner /dev/shm/pass.*/{,*} rw, + @{sys}/devices/system/node/ r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, @{PROC}/@{pids}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 8c86ec7f..c4b5cb68 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -11,6 +11,7 @@ profile pcscd @{exec_path} { include include + capability net_admin, capability sys_ptrace, network netlink raw, @@ -29,6 +30,7 @@ profile pcscd @{exec_path} { owner @{run}/pcscd/{,pcscd.pid} rw, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, include if exists diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 3a4f535b..7228dd88 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -48,7 +48,7 @@ profile snapd @{exec_path} { ptrace (read) peer=snap, ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex}/bus/systemctl/, + unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index e3c2f1d4..f67917f5 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -28,6 +28,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { signal (send) set=(cont,hup,winch) peer=su, signal (send) set=(winch) peer=child-pager, signal (send) set=(winch) peer=journalctl, + signal (send) set=(winch) peer=pacman, @{bin}/@{shells} rUx, @{lib}/** PUx,