From 1a1daeae07e13c12c0ba5e5050f1c291bc0a4243 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Jan 2024 22:46:22 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/bus/dbus-broker-launch | 11 ++- apparmor.d/groups/bus/dbus-daemon | 5 +- .../groups/freedesktop/xdg-desktop-portal | 4 + apparmor.d/groups/gnome/gdm-generate-config | 5 +- apparmor.d/groups/gnome/gio-launch-desktop | 3 +- apparmor.d/groups/gnome/gjs-console | 3 +- .../gnome/gnome-calculator-search-provider | 1 + apparmor.d/groups/gnome/gnome-initial-setup | 11 ++- apparmor.d/groups/gnome/gnome-music | 3 +- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-terminal-server | 2 + apparmor.d/groups/gnome/goa-daemon | 3 + apparmor.d/groups/gnome/tracker-extract | 1 + apparmor.d/groups/kde/ksplashqml | 4 +- apparmor.d/groups/service/dmesg.service | 33 --------- apparmor.d/groups/service/init-exim4 | 16 +++- apparmor.d/groups/service/systemd.service | 27 +++---- apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/profiles-a-f/dleyna-server-service | 5 +- apparmor.d/profiles-s-z/top | 74 +++++++++---------- apparmor.d/profiles-s-z/wireplumber | 3 + 23 files changed, 118 insertions(+), 100 deletions(-) delete mode 100644 apparmor.d/groups/service/dmesg.service diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 58ee1260..316d5940 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -93,6 +93,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { # Ubuntu specificities @{lib}/ubuntu-advantage/apt-esm-hook rPx, @{lib}/ubuntu-advantage/apt-esm-json-hook rPx, + @{lib}/ubuntu-release-upgrader/do-partial-upgrade rPx, @{lib}/update-notifier/update-motd-updates-available rPx, /usr/share/command-not-found/cnf-update-db rPx, /usr/share/language-tools/language-options rPx, diff --git a/apparmor.d/groups/bus/dbus-broker-launch b/apparmor.d/groups/bus/dbus-broker-launch index 86bcd698..33342570 100644 --- a/apparmor.d/groups/bus/dbus-broker-launch +++ b/apparmor.d/groups/bus/dbus-broker-launch @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/dbus-broker-launch -profile dbus-broker-launch @{exec_path} { +profile dbus-broker-launch @{exec_path} flags=(attach_disconnected) { include include @@ -19,13 +19,16 @@ profile dbus-broker-launch @{exec_path} { @{bin}/dbus-broker rPUx, - @{system_share_dirs}/dbus-1/{,**} r, - @{system_share_dirs}/dbus-1/services/{,**} r, /usr/share/dbus-1/{,**} r, /usr/share/defaults/**.conf r, + # Extra rules for Flatpak + @{system_share_dirs}/dbus-1/{,**} r, + /etc/machine-id r, + @{run}/user/@{uid}/dbus-1/{,**} r, + @{PROC}/sys/kernel/random/boot_id r, include if exists diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index ae89649f..11dcba86 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -91,10 +91,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/dbus-1/services/{,**} r, /var/lib/snapd/dbus-1/system-services/{,**} r, - @{user_share_dirs}/icc/{,edid-*} r, + @{user_share_dirs}/icc/ r, + @{user_share_dirs}/icc/edid-*.icc r, owner @{user_share_dirs}/dbus-1/{,**} r, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/systemd/inhibit/*.ref rw, @{run}/systemd/notify w, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 6b446339..7bca30e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -63,12 +63,15 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, + /usr/share/dconf/profile/gdm r, /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/** r, /etc/pipewire/client.conf.d/ r, /etc/sysconfig/proxy r, + /var/lib/gdm{,3}/greeter-dconf-defaults r, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/applications/{**,} r, @@ -87,6 +90,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index d4adac0c..36ebfe99 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -11,7 +11,10 @@ profile gdm-generate-config @{exec_path} { include include + capability chown, capability dac_read_search, + capability fowner, + capability fsetid, capability setgid, capability setuid, @@ -29,8 +32,8 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm/{,**} r, /var/lib/ r, + /var/lib/gdm{3,}/ rw, /var/lib/gdm{3,}/{,**} r, - /var/lib/gdm{3,}/greeter-dconf-defaults rw, /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 9c920401..a0655b84 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -20,7 +20,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/gio-launch-desktop rix, + @{bin}/gnome-terminal rPUx, + @{lib}/gio-launch-desktop rix, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index ace95af8..c82477b6 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -19,6 +19,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -59,7 +60,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, - /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index abb55fc2..6c7d2320 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -13,6 +13,7 @@ profile gnome-calculator-search-provider @{exec_path} { include include include + include signal (send) set=kill peer=unconfined, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 1fbb35bb..24a8dfc1 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -12,7 +12,8 @@ profile gnome-initial-setup @{exec_path} { include include include - include + include + include network netlink raw, @@ -22,11 +23,19 @@ profile gnome-initial-setup @{exec_path} { @{bin}/df rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/locale rix, @{bin}/lscpu rPx, @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, + /usr/share/dconf/profile/gdm r, + + /var/lib/gdm{,3}/greeter-dconf-defaults r, + + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 55a03ecf..40c2594c 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -28,6 +28,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, + @{bin}/env r, @{bin}/python3.@{int} rix, @{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw, @@ -44,8 +45,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, + owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, owner /var/tmp/etilqs_@{hex} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0fbef9c8..e9fb387b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -377,6 +377,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/event@{int} rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 447ac40a..e6e93528 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -104,6 +104,7 @@ profile gnome-software @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, /dev/fuse rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 7f533e58..cc8ae744 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -60,6 +60,8 @@ profile gnome-terminal-server @{exec_path} { owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk, owner @{user_config_dirs}/*xdg-terminals.list* rw, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/pulse/cookie rk, owner @{run}/user/@{uid}/pulse/ r, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 72befb09..fa9afe49 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -40,6 +40,9 @@ profile goa-daemon @{exec_path} { /var/lib/gdm{3,}/.config/dconf/user r, + owner /var/lib/gdm{3,}/.config/ w, + owner /var/lib/gdm{3,}/.config/goa-1.0/ w, + owner @{user_config_dirs}/goa-1.0/ rw, owner @{user_config_dirs}/goa-1.0/accounts.conf* rw, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 02011fe9..dda13e90 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 90652b15..74a999f4 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -21,9 +21,11 @@ profile ksplashqml @{exec_path} { /usr/share/qt/translations/*.qm r, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksplash/ rw, + owner @{user_cache_dirs}/ksplash/qmlcache/ rw, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int}, - owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int}, + owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, diff --git a/apparmor.d/groups/service/dmesg.service b/apparmor.d/groups/service/dmesg.service deleted file mode 100644 index ce825ce7..00000000 --- a/apparmor.d/groups/service/dmesg.service +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for a systemd service, it does not specify an attachment path because -# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service - -abi , - -include - -profile dmesg.service { - include - - @{bin}/savelog mr, - - @{bin}/basename rix, - @{bin}/chmod rix, - @{bin}/date rix, - @{bin}/dirname rix, - @{bin}/gzip rix, - @{bin}/ln rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/touch rix, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - include if exists - include if exists -} \ No newline at end of file diff --git a/apparmor.d/groups/service/init-exim4 b/apparmor.d/groups/service/init-exim4 index d93dafca..1ffc8e34 100644 --- a/apparmor.d/groups/service/init-exim4 +++ b/apparmor.d/groups/service/init-exim4 @@ -9,6 +9,13 @@ include @{exec_path} = /etc/init.d/exim4 profile init-exim4 @{exec_path} { include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability net_admin, @{exec_path} mr, @@ -23,6 +30,7 @@ profile init-exim4 @{exec_path} { @{bin}/install rix, @{bin}/mv rix, @{bin}/plymouth rPx, + @{bin}/rm rix, @{bin}/run-parts rix, @{bin}/sed rix, @{bin}/start-stop-daemon rix, @@ -31,7 +39,13 @@ profile init-exim4 @{exec_path} { @{bin}/tr rix, @{bin}/update-exim4.conf rix, - /var/lib/exim4/config.autogenerated.tmp rw, + /etc/default/exim4 r, + /etc/exim4/* r, + /etc/mailname r, + + /var/lib/exim4/* rw, + + owner @{run}/exim4/{,**} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/service/systemd.service b/apparmor.d/groups/service/systemd.service index 657e68fe..af1c4ca6 100644 --- a/apparmor.d/groups/service/systemd.service +++ b/apparmor.d/groups/service/systemd.service @@ -15,24 +15,20 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) { capability sys_admin, - @{bin}/{,ba,da}sh rm, + # TODO: + mount -> @{sys}/fs/fuse/connections/, + mount -> @{sys}/kernel/*/, + mount -> /dev/*/, + mount -> /efi/, + mount -> /tmp/, - @{bin}/cp rix, - @{bin}/find rix, - @{bin}/grep rix, - @{bin}/install rix, - @{bin}/mkdir rix, - @{bin}/mount rix, - @{bin}/rm rix, + @{bin}/mount rix, # TODO: maybe, keep it in systemed @{bin}/systemctl rix, + @{coreutils_path} rix, + @{shells_path} rmix, @{bin}/grub-editenv rPx, @{bin}/ibus-daemon rPx, - - @{bin}/chgrp rPx -> dmesg.service, - @{bin}/chmod rPx -> dmesg.service, - @{bin}/savelog rPx -> dmesg.service, - @{bin}/ldconfig rPx -> ldconfig.service, @{lib}/ r, @@ -43,6 +39,10 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) { /boot/grub/grubenv rw, /boot/grub/ w, + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + # snapd.system-shutdown.service @{run}/initramfs/shutdown rw, @{run}/initramfs/ rw, @@ -50,5 +50,6 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + include if exists include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index d32602fd..65fc4118 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -42,6 +42,7 @@ profile systemd-journald @{exec_path} { owner @{run}/systemd/notify rw, @{run}/host/container-manager r, + @{run}/utmp rk, @{run}/udev/data/+acpi:* r, @{run}/udev/data/+bluetooth:* r, diff --git a/apparmor.d/profiles-a-f/dleyna-server-service b/apparmor.d/profiles-a-f/dleyna-server-service index 62a5cdad..02458979 100644 --- a/apparmor.d/profiles-a-f/dleyna-server-service +++ b/apparmor.d/profiles-a-f/dleyna-server-service @@ -19,7 +19,10 @@ profile dleyna-server-service @{exec_path} { @{exec_path} mr, - @{user_config_dirs}/dleyna-server-service.conf r, + /etc/dleyna-server-service.conf r, + + @{user_config_dirs}/dleyna-server-service.conf r, + owner @{user_config_dirs}/dleyna-server-service.conf w, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 9591cee8..7708eba3 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -1,13 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# When any of the "ns*" fields is displayed, the following error will be printed: -# "Failed name lookup - disconnected path" error=-13 profile="top" name="". @{exec_path} = @{bin}/top profile top @{exec_path} flags=(attach_disconnected) { include @@ -15,62 +14,57 @@ profile top @{exec_path} flags=(attach_disconnected) { include include - # To be able to read the /proc/ files of all processes in the system. capability dac_read_search, - - # To manage priorities. - capability sys_nice, - - # To terminate other users' processes when top is started as root. capability kill, - + capability sys_nice, capability sys_ptrace, signal (send), + ptrace (read), @{exec_path} mr, /usr/share/terminfo/** r, - @{PROC}/ r, - @{PROC}/loadavg r, - @{PROC}/uptime r, - @{PROC}/tty/drivers r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/wchan r, - - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, - @{PROC}/@{pids}/task/@{tid}/environ r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, - @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/wchan r, - @{PROC}/@{pids}/task/@{tid}/status r, - /etc/topdefaultrc r, /etc/toprc r, + owner @{user_config_dirs}/procps/ rw, + owner @{user_config_dirs}/procps/toprc rw, + + @{run}/systemd/sessions/ r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/node@{int}/cpumap r, - owner @{user_config_dirs}/procps/ rw, - owner @{user_config_dirs}/procps/toprc rw, + @{PROC}/ r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/@{pids}/wchan r, + @{PROC}/loadavg r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, include if exists } diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 0ee493f0..a33053e1 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -41,8 +41,11 @@ profile wireplumber @{exec_path} { /etc/machine-id r, + /var/lib/gdm{3,}/.local/state/ w, + /var/lib/gdm{3,}/.local/ w, /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw, + owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, owner @{user_state_dirs}/wireplumber/{,**} rw,