diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index ed1aad9d..7c2be653 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -9,7 +9,7 @@ include @{chromium_name} = brave{,-beta,-dev,-bin} @{chromium_domain} = com.brave.Brave -@{chromium_lib_dirs} = /opt/brave.com/@{chromium_name} /opt/brave-bin/@{chromium_name} +@{chromium_lib_dirs} = /opt/brave{-bin,.com}/@{chromium_name} @{chromium_config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{chromium_cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 9dbef684..0873d91c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 0e581cbb..1c126650 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -22,6 +22,7 @@ profile systemd-machine-id-setup @{exec_path} { /var/ r, @{PROC}/1/environ r, + @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index af074104..41f19b6a 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -26,6 +26,9 @@ profile systemd-remount-fs @{exec_path} { /etc/fstab r, @{run}/host/container-manager r, + @{run}/mount/utab rw, + @{run}/mount/utab.?????? rw, + @{run}/mount/utab.lock rwk, @{PROC}/ r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 5a7ceb0b..3c555f77 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -66,6 +66,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/hplip/config_usb_printer.py rPUx, /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status index 292b385d..0526f1fe 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/aa-status +@{exec_path} = /{usr/,}{s,}bin/aa-status /{usr/,}{s,}bin/apparmor_status profile aa-status @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index a3ff1c0f..f19456eb 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -11,6 +11,7 @@ include profile appstreamcli @{exec_path} flags=(complain) { include include + include include capability dac_read_search, @@ -50,7 +51,6 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{user_cache_dirs}/appstream-cache-*.mdb rw, owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, - owner @{user_share_dirs}/mime/mime.cache r, owner /tmp/appstream-cache-*.mdb rw, owner /tmp/appstream/ rw, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 7df34f07..7e4f6850 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -41,6 +41,7 @@ profile ifup @{exec_path} { @{run}/network/ rw, @{run}/network/{.,}ifstate* rwk, @{run}/network/{ifup,ifdown}-*.pid rw, + @{run}/network/interfaces.d/{,*} r, # For setting a USB modem owner /dev/ttyUSB[0-9]* rw,