diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index 3f2fb4e0..ffe996c5 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/fc-list profile fc-list @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 75bb7583..708ccc5f 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/gpg-agent profile gpg-agent @{exec_path} { include + include include signal (receive) peer=pinentry-*, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 364c05f7..bfa71cf5 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/gpgsm profile gpgsm @{exec_path} { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index 0a38bf0f..4a542497 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemd-escape profile systemd-escape @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 5664cde0..9b6203e9 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bind* rw, - /etc/udev/hwdb.bin rw, + /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, + /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 4f95bed4..cc1f541d 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -64,6 +64,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/b8:@{int} r, # for /dev/sd* @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index d6b1cb26..e1ca76d5 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -19,9 +19,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, # Config file locations - /etc/sysusers.d/*.conf r, - @{run}/sysusers.d/*.conf r, - /usr/lib/sysusers.d/*.conf r, + /etc/sysusers.d/{,*.conf} r, + @{run}/sysusers.d/{,*.conf} r, + /usr/lib/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 4aea919b..903e2cb6 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -40,6 +40,10 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{PROC}/partitions r, @{PROC}/swaps r, + # Other possible location of the cache file + /dev/.blkid.tab{,-@{rand6}} rw, + /dev/blkid.tab.old rwl -> /dev/blkid.tab, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 6c6d61c4..3602a1a1 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/issue-generator profile issue-generator @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index 147e1ba2..7559e4e4 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lsblk -profile lsblk @{exec_path} { +profile lsblk @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 3b18ad36..907def2b 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -13,6 +13,10 @@ profile sync @{exec_path} { @{exec_path} mr, + # Common paths where sync is used to flush all write operations on a single file to disk + # TODO: /** rw, ? + /boot/initrd-*-default rw, + include if exists }