diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index dd5b2684..bdd917cd 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -18,10 +18,12 @@ profile pulseaudio @{exec_path} { include include include + include include include include include + include include ptrace (trace) peer=@{profile_name}, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 1c63d934..829f88bc 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -49,8 +49,9 @@ profile xdg-user-dirs-update @{exec_path} { owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w, owner @{HOME}/@{XDG_VIDEOS_DIR}/ w, - owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.dirs rw, owner @{user_config_dirs}/user-dirs.dirs?????? rw, + owner @{user_config_dirs}/user-dirs.locale rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index d836678e..0b8042f3 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -26,6 +26,8 @@ profile gnome-contacts-search-provider @{exec_path} { owner @{user_share_dirs}/folks/relationships.ini rw, owner @{user_share_dirs}/mime/mime.cache r, + owner @{user_cache_dirs}/folks/{,**/} rw, + owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 20ef114f..5fba4a1a 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -156,7 +156,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{libexec}/gio-launch-desktop rix, /{usr/,}bin/aa-notify rPx, - /{usr/,}bin/baloo_file rPUx, + /{usr/,}bin/baloo_file rPx, /{usr/,}bin/blueman-applet rPx, /{usr/,}bin/firewall-applet rPUx, /{usr/,}bin/gnome-keyring-daemon rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 38689586..297b429f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -523,7 +523,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, - /var/lib/gdm{3,}/.cache/fontconfig/* rw, + /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw, /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, /var/lib/gdm{3,}/.cache/libgweather/ r, @@ -565,6 +565,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, + owner @{user_config_dirs}/pulse/ r, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index afefd5e0..3f651447 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -74,9 +74,12 @@ profile gnome-software @{exec_path} { /var/tmp/#[0-9]* rw, owner @{HOME}/.var/app/{,**} rw, - owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw, + + owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_config_dirs}/pulse/*.conf r, + owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/repo/{,**} rw, owner @{user_share_dirs}/gnome-software/{,**} rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index a7d002b3..a3519116 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -105,7 +105,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/.gsd-keyboard.settings-ported* rw, owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, - owner @{user_share_dirs}/gnome-settings-daemon/ rw, + owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 18977cf2..82632478 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -11,11 +11,15 @@ profile kgx @{exec_path} { include include include + include include include include include include + include + + capability sys_ptrace, ptrace (read), @@ -36,6 +40,9 @@ profile kgx @{exec_path} { /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, + owner /tmp/#[0-9]* rw, + + @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 3d1cf508..29d09acd 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -43,9 +43,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/net rPUx, - /{usr/,}bin/firejail rPUx, /{usr/,}bin/bwrap rPUx, + /{usr/,}bin/firejail rPUx, + /{usr/,}bin/net rPUx, + /{usr/,}bin/tracker3 rPUx, /{usr/,}lib/gio-launch-desktop rPx -> child-open, /usr/share/*ubuntu/applications/{,**} r, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index c0ebacb9..9620b113 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -18,7 +18,9 @@ profile mission-control @{exec_path} flags=(attach_disconnected) { /usr/share/telepathy/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_share_dirs}/telepathy/mission-control/*.cfg r, + owner @{user_share_dirs}/telepathy/ rw, + owner @{user_share_dirs}/telepathy/mission-control/ rw, + owner @{user_share_dirs}/telepathy/mission-control/*.cfg* rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,