diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 171a5305..2592d222 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -36,6 +36,6 @@ # For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars) owner @{user_share_dirs}/fonts/ rw, owner @{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*} rw, - link @{user_share_dirs}/fonts/**/.uuid.LCK -> /home/*/.local/share/fonts/**/.uuid.TMP-*, + link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*, include if exists diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 3e63f443..837a8689 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -44,6 +44,7 @@ profile apt-methods-store @{exec_path} { /root/ r, /var/lib/apt/lists/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, owner /var/lib/ubuntu-advantage/apt-esm/{,**} rw, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 48f61d92..aaa659b2 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -35,6 +35,7 @@ profile dpkg-preconfigure @{exec_path} { owner /tmp/*.template.* rw, owner /tmp/*.config.* rwPUx, + owner /var/cache/debconf/ rw, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 2ace3c8a..b6ef950d 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -58,6 +58,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-documents/org.gnome.Documents rPx, /usr/share/org.gnome.Characters/org.gnome.Characters rPx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/daemon.js rPx, + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/daemon.js rPx, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 8a26c538..ddd8b704 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -19,6 +19,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { capability fsetid, capability mknod, capability net_admin, + capability sys_resource, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 878f0da8..4fd603f6 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -43,8 +43,8 @@ profile update-motd-updates-available @{exec_path} { /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - /var/cache/apt/ r, - /var/cache/apt/** rwk, + owner /var/cache/apt/ rw, + owner /var/cache/apt/** rwk, /tmp/ r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 8c5ddd4c..d5d71f24 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -49,10 +49,12 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /etc/needrestart/*.d/* rix, /etc/shadow r, + / r, /boot/ r, /boot/intel-ucode.img r, /boot/vmlinuz* r, + owner /var/lib/juju/agents/{,**} r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @{PROC}/ r, diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index 3dd9411b..59ac4ee3 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,26 +10,19 @@ include @{exec_path} = @{bin}/newgrp profile newgrp @{exec_path} { include + include include - # To write records to the kernel auditing log. capability audit_write, - - # To remove the following errors: - # setgroups: Operation not permitted - # setgid: Operation not permitted capability setgid, - - # newgrp is a SETUID binary capability setuid, network netlink raw, @{exec_path} mr, - # Shells to use - @{bin}/{,b,d,rb}ash rPUx, - @{bin}/{c,k,tc,z}sh rPUx, + @{bin}/{,b,d,rb}ash rUx, + @{bin}/{c,k,tc,z}sh rUx, /etc/{passwd,group,shadow,gshadow} r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 36c87ae0..4a572a8f 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -57,6 +57,7 @@ profile protonmail-bridge @{exec_path} { @{bin}/tty rix, @{bin}/which rix, + owner @{user_password_store_dirs}/ r, owner @{user_password_store_dirs}/.gpg-id r, owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, deny owner @{user_password_store_dirs}/**/ r, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index cb573496..46fdf3d7 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -21,6 +21,11 @@ profile qemu-ga @{exec_path} { ptrace peer=unconfined, + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={ScheduleShutdown,SetWallMessage} + peer=(name=org.freedesktop.login1, label=systemd-logind), + @{exec_path} mr, @{bin}/systemctl rix,