diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index f242da61..081ecd17 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -24,6 +24,7 @@ profile gnome-calendar @{exec_path} { @{exec_path} mr, /usr/share/egl/{,**} r, + /usr/share/evolution-data-server/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/libgweather/Locations.xml r, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 3c0545a9..71e75abf 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/tailscale profile tailscale @{exec_path} { include + include ptrace (read), @@ -26,6 +27,7 @@ profile tailscale @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/stat r, + @{PROC}/sys/net/core/somaxconn r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 655a3a49..482027cd 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -70,6 +70,7 @@ profile pacman @{exec_path} { /{usr/,}bin/ln rix, /{usr/,}bin/perl rix, /{usr/,}bin/pkill rix, + /{usr/,}bin/cp rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/setcap rix, @@ -129,13 +130,14 @@ profile pacman @{exec_path} { owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw, owner /tmp/checkup-db-[0-9]*/db.lck rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, @{run}/utmp rk, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 9a027e43..f5c7900f 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,10 +22,8 @@ profile coredumpctl @{exec_path} flags=(complain) { /{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/pager rPx -> child-pager, - owner /tmp/*.coredump w, - owner /tmp/core.* w, - - owner /var/tmp/coredump-* rw, + /var/lib/dbus/machine-id r, + /etc/machine-id r, /var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r, @@ -34,39 +33,38 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/@{hex}/system.journal* r, /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, - owner @{PROC}/@{pid}/cgroup r, + owner /tmp/*.coredump w, + owner /tmp/core.* w, + owner /var/tmp/coredump-* rw, + @{PROC}/1/cgroup r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - + owner @{PROC}/@{pid}/cgroup r, profile gdb { include - include include + include ptrace (trace), - /{usr/,}bin/gdb mr, + /{usr/,}bin/gdb mr, + /{usr/,}bin/iconv rix, - /{usr/,}bin/iconv rix, - /{usr/,}bin/* r, - /{usr/,}sbin/* r, + /{usr/,}{s,}bin/* r, - @{PROC}/@{pids}/fd/ r, - - /etc/inputrc r, - - /etc/gdb/** r, - /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/gdb/{,**} r, /usr/share/gcc-[0-9]*/python/{,**} r, /usr/share/gcc/** r, + /usr/share/gdb/{,**} r, + /usr/share/glib-2.0/gdb/{,**} r, /usr/share/terminfo/x/xterm-256color r, - + + /etc/inputrc r, + /etc/gdb/** r, + owner /var/tmp/coredump-* rw, + @{PROC}/@{pids}/fd/ r, + # Silencer deny /usr/share/** w, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index d50a26cd..9c315a7a 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -24,6 +24,7 @@ profile systemd-backlight @{exec_path} { @{run}/udev/data/+leds:*backlight* r, @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, @{sys}/class/ r, @{sys}/class/backlight/ r, @@ -34,7 +35,7 @@ profile systemd-backlight @{exec_path} { @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type} r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw, - @{sys}/devices/pci[0-9]*/*/uevent r, + @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/platform/**/leds/*backlight*/brightness rw, @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 8a9d0c58..712a5ab5 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -83,6 +83,7 @@ profile git @{exec_path} { owner @{user_projects_dirs}/ rw, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + owner @{user_projects_dirs}/**/.git/hooks/* rix, owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner /tmp/** rwkl -> /tmp/**, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 852b6dc1..0aca7c62 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -62,8 +62,9 @@ profile sudo @{exec_path} { /etc/sudoers r, /etc/sudoers.d/{,*} r, - /var/log/sudo.log wk, + /var/db/sudo/lectured/ r, /var/lib/sudo/lectured/ r, + /var/log/sudo.log wk, owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 467fce94..6e44efbe 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -45,6 +45,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/setfacl rix, /{usr/,}{s,}bin/libvirtd rPx, + /{usr/,}bin/ssh rPx, /{usr/,}lib/spice-client-glib-usb-acl-helper rPx, /usr/share/egl/{,**} r,