diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index ea3d7a7a..c902e20d 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -14,18 +14,13 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus bind bus=session name=org.freedesktop.portal.IBus, + #aa:dbus own bus=session name=org.freedesktop.portal.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=:*, label=ibus-daemon), - @{exec_path} mr, owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index da457a0f..fa8abd38 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/xdg-email profile xdg-email @{exec_path} flags=(complain) { include + include + include @{exec_path} r, diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 9ece7157..66cd5435 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -12,6 +12,7 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include include include + include @{exec_path} r, diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index bca69b9b..792c6b85 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -11,6 +11,7 @@ include profile xdg-screensaver @{exec_path} { include include + include @{exec_path} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index b584a8c1..53ced47f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -14,10 +14,7 @@ profile gnome-control-center-search-provider @{exec_path} { include include - dbus bind bus=session name=org.gnome.Settings.SearchProvider, - dbus receive bus=session path=/org/gnome/Settings/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*, label=gnome-shell), + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index ba23af8a..cb41a046 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -21,10 +21,7 @@ profile seahorse @{exec_path} { include include - dbus bind bus=session name=org.gnome.seahorse.Application, - dbus receive bus=session path=/org/gnome/seahorse/Application - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*), + #aa:dbus own bus=session name=org.gnome.seahorse.Application @{exec_path} mr, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e1de05a1..c17a34e5 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -84,7 +84,6 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, owner @{user_config_dirs}/emaildefaults r, - owner @{user_config_dirs}/kactivitymanagerdrc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, @@ -111,6 +110,11 @@ profile systemsettings @{exec_path} { owner @{user_share_dirs}/systemsettings/** rwlk, owner @{user_share_dirs}/wallpapers/{,**} r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/systemsettingsstaterc rw, + owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk, + owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @@ -123,9 +127,10 @@ profile systemsettings @{exec_path} { @{sys}/firmware/acpi/pm_profile r, @{PROC}/interrupts r, - owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ r, /dev/bus/usb/ r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c6658796..aaf3b9f3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -14,7 +14,7 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, - @{bin}/{,da,ba}sh rix, + @{sh_path} rix, @{bin}/fanctl rix, @{bin}/flock rix, @{bin}/grep rix, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 9db3ec33..6d7dc732 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -20,35 +20,15 @@ profile software-properties-gtk @{exec_path} { include include - dbus bind bus=session name=com.ubuntu.SoftwareProperties, - dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties - interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}} - peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk), - dbus send bus=system path=/ - interface=com.ubuntu.SoftwareProperties - peer=(name=:*, label=software-properties-dbus), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=ubuntu-advantage-desktop-daemon), - - dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=ubuntu-advantage-desktop-daemon), + #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon @{exec_path} mr, @{bin}/ r, + @{sh_path} rix, @{bin}/python3.@{int} r, - @{bin}/{,da,ba}sh rix, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, @@ -73,9 +53,9 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/ubuntu-advantage/status.json r, - owner @{tmp}/???????? rw, - owner @{tmp}/tmp????????/ rw, # change to 'c' - owner @{tmp}/tmp????????/apt.conf rw, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8}/ rw, + owner @{tmp}/tmp@{word8}/apt.conf rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 08886b64..7113dac5 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -22,7 +22,7 @@ profile subiquity-console-conf @{exec_path} { @{exec_path} mr, - @{bin}/{,da,ba}sh rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, @{bin}/ip rix, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index 2e35697c..ddb689b5 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -14,17 +14,8 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) capability sys_nice, - dbus bind bus=system name=com.canonical.UbuntuAdvantage, - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=software-properties-gtk), - - dbus receive bus=system - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=software-properties-gtk), + #aa:dbus own bus=system name=com.canonical.UbuntuAdvantage + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties label=software-properties-gtk @{exec_path} mr, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index def1d76b..78503c7b 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -60,6 +60,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/, ptrace read peer=docker-*, + ptrace read peer=runc, ptrace read peer=unconfined, signal send set=int peer=docker-proxy, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 7f79d3a0..3e7c28e2 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -135,7 +135,7 @@ profile qbittorrent @{exec_path} { owner @{user_torrents_dirs}/** r, - owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int}, # unconventional '_' tail + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/@{int}, owner /dev/shm/* rw, owner @{tmp}/@{int} rw, diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 6f3ba241..5f491cd5 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -51,7 +51,7 @@ profile repo @{exec_path} { owner @{tmp}/ssh-*/ rw, owner /dev/shm/* rw, - owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*, # unconventional '_' tail + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/*, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 6b8bca6c..eadb669c 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -24,7 +24,7 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, - dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0 dbus receive bus=session interface=org.freedesktop.DBus.Introspectable