diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 2bc417c8..4d7c3be2 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -136,6 +136,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, @{PROC}/cmdline r, + @{PROC}/ioports r, @{PROC}/mtrr rw, /dev/input/event[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 9730ea30..ac4867ee 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -14,17 +14,19 @@ profile xrdb @{exec_path} { @{exec_path} mr, + /{usr/,}bin/{,*-}cpp-[0-9]* rix, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}bin/cpp rix, - /{usr/,}lib{,32,64}/gcc/@{multiarch}/[0-9]*/cc1 rix, + /{usr/,}lib{,32,64}/gcc/*/[0-9]*/cc1 rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, @{etc_ro}/Xresources/x11-common r, + @{etc_ro}/X11/Xresources r, # The location of the .Xresources file + owner @{HOME}/.Xdefaults r, owner @{HOME}/.Xresources r, owner @{user_config_dirs}/.Xresources r, owner @{user_config_dirs}/Xresources/.Xresources r, @@ -35,6 +37,8 @@ profile xrdb @{exec_path} { owner /tmp/startplasma-x11.?????? r, owner /tmp/xauth-[0-9]*-_[0-9] r, + @{run}/sddm/\{@{uuid}\} r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset index 6bf68d81..191478fd 100644 --- a/apparmor.d/groups/freedesktop/xset +++ b/apparmor.d/groups/freedesktop/xset @@ -15,6 +15,8 @@ profile xset @{exec_path} { owner @{HOME}/.Xauthority r, + @{run}/sddm/\{@{uuid}\} r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 3f3e3f20..113c71ab 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -46,6 +46,8 @@ profile sddm @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/tr rix, /{usr/,}bin/cat rix, /{usr/,}bin/tty rix, + /{usr/,}bin/xmodmap rix, + /{usr/,}{s,}bin/checkproc rix, /{usr/,}bin/sddm-greeter rPx, /etc/sddm/Xsession rPx, @@ -56,11 +58,14 @@ profile sddm @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/sway rPUx, /{usr/,}bin/flatpak rPUx, - /{usr/,}bin/systemctl rPx -> child-systemctl, + @{etc_ro}/X11/xdm/Xsession rPx, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}bin/kwalletd5 rPx, /{usr/,}bin/startplasma-x11 rPx, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/xset rPx, /usr/etc/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/Xsetup rix, @@ -75,11 +80,13 @@ profile sddm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, /var/lib/AccountsService/icons/*.icon r, + /usr/share/qt5/qtlogging.ini r, /etc/X11/xinit/xinitrc.d/{,*} r, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, + @{etc_ro}/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/default/locale r, /etc/locale.conf r, @@ -87,6 +94,7 @@ profile sddm @{exec_path} flags=(attach_disconnected) { /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/shells r, + /etc/sysconfig/displaymanager r, / r, @@ -110,6 +118,7 @@ profile sddm @{exec_path} flags=(attach_disconnected) { owner /tmp/sddm-auth* rw, @{run}/faillock/[a-zA-z0-9]* rwk, + @{run}/sddm.pid rw, @{run}/sddm/* w, @{run}/systemd/sessions/*.ref rw, owner @{run}/sddm/ rw, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 9db8457c..692b610f 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -48,6 +48,7 @@ profile login @{exec_path} flags=(attach_disconnected) { /etc/legal r, /etc/machine-id r, /etc/motd r, + /etc/motd.d/ r, /etc/security/group.conf r, /etc/security/limits.conf r, /etc/security/pam_env.conf r, @@ -57,6 +58,7 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/motd.legal-displayed rw, + @{run}/motd.d/ r, @{run}/dbus/system_bus_socket rw, @{run}/faillock/* rwk, @{run}/motd.dynamic{,.new} rw,