diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index abf16812..3c37534a 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -18,6 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, + /var/crash/*.crash w, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index cf42bd74..ed4bc812 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -13,6 +13,8 @@ profile gnome-characters-backgroudservice @{exec_path} { @{exec_path} mr, + /{usr/,}bin/gjs-console rix, + /usr/share/icons/{,**} r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 9132ee3c..b35ae8f2 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -37,7 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={UserNew,SessionNew,PrepareForShutdown,SeatNew}, + member={UserNew,SessionNew,PrepareForShutdown,SeatNew,UserRemoved,SessionRemoved}, dbus bind bus=system name=org.freedesktop.ModemManager[0-9], diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index cebfc7c3..b114eda3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9] interface=org.freedesktop.systemd[0-9].Manager - member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe}, + member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading,Subscribe,StopUnit}, dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/{unit,job}/** interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index e26c4058..86a0d4f7 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/systemd-machine-id-setup profile systemd-machine-id-setup @{exec_path} { include + include capability dac_override, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 1d8f91cd..8140c18c 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -15,6 +15,11 @@ profile do-release-upgrade @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -27,6 +32,7 @@ profile do-release-upgrade @{exec_path} { /etc/update-manager/{,**} r, /var/lib/update-manager/meta-release-* rw, + /var/cache/apt/pkgcache.bin{,.*} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 3501ad8e..a98cdfa7 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -35,8 +35,7 @@ profile boltd @{exec_path} { @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r, @{sys}/devices/platform/**/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 8c5a471c..ec164180 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -13,12 +13,11 @@ profile ip @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_module, network netlink raw, - @{exec_path} mrix, - mount options=(rw, rshared) -> /{var/,}run/netns/, mount options=(rw, rslave) -> /, mount options=(rw, bind) / -> /{var/,}run/netns/*, @@ -28,12 +27,15 @@ profile ip @{exec_path} flags=(attach_disconnected) { umount @{run}/netns/*, umount /sys/, - /etc/iproute2/{,**} r, + @{exec_path} mrix, / r, + + /etc/iproute2/{,**} r, + /etc/netns/*/ r, + owner @{run}/netns/ rw, @{run}/netns/* rw, - /etc/netns/*/ r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/net/dev_mcast r, diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index c80ec1eb..1eb551d2 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -1,9 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -@{JEKYLL_DIR}=@{HOME}/morfikov.github.io - abi , include @@ -17,19 +16,18 @@ profile jekyll @{exec_path} { @{exec_path} r, /{usr/,}bin/ruby[0-9].[0-9]* rix, - /usr/share/rubygems-integration/*/specifications/ r, - /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, - /{usr/,}lib/ruby/gems/*/specifications/ r, /{usr/,}lib/ruby/gems/*/specifications/** r, /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, + /usr/share/rubygems-integration/*/specifications/ r, + /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, + /usr/share/ruby-addressable/unicode.data r, - # Jekyll dir - owner @{JEKYLL_DIR}/{,**} r, - owner @{JEKYLL_DIR}/_site/{,**} rw, - owner @{JEKYLL_DIR}/.sass-cache/** rw, + owner @{user_projects_dirs}/{,**} r, + owner @{user_projects_dirs}/**/_site/{,**} rw, + owner @{user_projects_dirs}/**/.sass-cache/** rw, @{PROC}/version r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 08cdcdfa..b8671752 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -82,6 +82,7 @@ profile run-parts @{exec_path} { /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/postfix rPUx, + /etc/network/if-up.d/ubuntu-fan rPx, /etc/network/if-up.d/wpasupplicant rPUx, # Motd diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 1460d0f0..a39f81ad 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -33,6 +33,7 @@ profile sudo @{exec_path} { ptrace (read), + signal (send) peer=unconfined, signal (send) set=(cont,hup) peer=su, dbus send bus=system path=/org/freedesktop/login[0-9] diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 75eec8ad..0968890c 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -45,6 +45,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, /dev/snd/ r, /dev/video[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index d3404b00..1251aa57 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index ccd94c56..d39b710d 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -1,3 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + abi , include @@ -10,17 +14,18 @@ profile zpool @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} rm, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, - @{PROC}/sys/kernel/spl/hostid r, @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old l, @{run}/blkid/blkid.tab-* rwl, @{PROC}/@{pids}/mounts r, + @{PROC}/sys/kernel/spl/hostid r, /dev/pts/[0-9]* rw, /dev/zfs rw,