From 26f838b73f3007e61a93c63ada96d06d53b5ea86 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 11 Nov 2022 22:18:55 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/browsers/chromium-chromium | 43 +++++++++-------- .../groups/browsers/google-chrome-chrome | 47 +++++++++++-------- apparmor.d/groups/children/child-open | 4 +- apparmor.d/groups/freedesktop/pipewire | 1 + .../freedesktop/xdg-desktop-portal-gnome | 7 +++ apparmor.d/groups/gnome/gnome-terminal-server | 2 + apparmor.d/groups/gnome/gsd-color | 3 +- apparmor.d/groups/gnome/gsd-keyboard | 3 +- apparmor.d/groups/gnome/nautilus | 18 ++++--- apparmor.d/groups/pacman/pacman | 3 +- apparmor.d/groups/ssh/sftp-server | 1 + apparmor.d/groups/ssh/sshd | 2 + apparmor.d/groups/systemd/systemd-udevd | 5 +- apparmor.d/profiles-a-f/frontend | 29 ++++++------ apparmor.d/profiles-a-f/fwupd | 3 +- apparmor.d/profiles-g-l/login | 13 ++--- apparmor.d/profiles-m-r/nvtop | 3 ++ apparmor.d/profiles-m-r/packagekitd | 1 + apparmor.d/profiles-m-r/pacmd | 4 ++ apparmor.d/profiles-m-r/pactl | 2 + apparmor.d/profiles-m-r/rngd | 1 + apparmor.d/profiles-s-z/swtpm | 1 + apparmor.d/profiles-s-z/wireplumber | 3 +- 23 files changed, 121 insertions(+), 78 deletions(-) diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 4f7e8a67..d3405bc1 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -113,25 +113,25 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { owner /tmp/tmp.*/** rwk, owner /tmp/scoped_dir*/{,**} rw, - @{PROC}/ r, - @{PROC}/vmstat r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pids}/clear_refs w, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, @{run}/udev/data/* r, @@ -140,6 +140,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/**/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/devices/pci[0-9]*/**/report_descriptor r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, @@ -149,9 +150,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/pci[0-9]*/**/boot_vga r, - - deny @{sys}/devices/virtual/tty/tty[0-9]/active r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, /dev/ r, /dev/video[0-9]* rw, diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index 229d4b32..ebc78c19 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -22,7 +22,7 @@ profile google-chrome-chrome @{exec_path} { include include include - include + include include include include @@ -99,23 +99,25 @@ profile google-chrome-chrome @{exec_path} { # owner @{user_config_dirs}/chromium/*/ r, # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - @{PROC}/ r, - deny @{PROC}/vmstat r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/@{pid}/fd/ r, - deny @{PROC}/@{pids}/stat r, - deny @{PROC}/@{pids}/statm r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny @{PROC}/@{pids}/cmdline r, - deny owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pid}/task/ r, - deny @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, - deny owner @{PROC}/@{pid}/limits r, - deny owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/diskstats r, + @{PROC}/ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pids}/clear_refs w, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, @{run}/udev/data/* r, @@ -124,14 +126,21 @@ profile google-chrome-chrome @{exec_path} { @{sys}/class/ r, @{sys}/class/**/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/pci[0-9]*/**/report_descriptor r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + @{sys}/devices/virtual/**/report_descriptor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/tty[0-9]/active r, # Silencer deny @{CHROME_INSTALLDIR}/** w, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index f5fa46ec..81952a03 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -23,8 +23,8 @@ profile child-open { /{usr/,}bin/exo-open mr, /{usr/,}bin/xdg-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}lib/gio-launch-desktop mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix, + /{usr/,}lib/gio-launch-desktop mrix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,m,g}awk rix, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f48523b5..6f85353d 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -66,6 +66,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, + @{sys}/class/ r, @{sys}/devices/**/device:*/**/path r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index fb8071de..1baad738 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -12,10 +12,13 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include + include include include include include + include include include include @@ -125,5 +128,9 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 79a44ded..f53ebdd0 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -30,6 +30,8 @@ profile gnome-terminal-server @{exec_path} { # Some CLI program can be launched directly from Gnome Shell /{usr/,}bin/htop rPx, + /{usr/,}bin/micro rPUx, + /{usr/,}bin/nvtop rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index e9f2f123..c4226e3b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,13 +9,14 @@ include @{exec_path} = @{libexec}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include - include include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 21dbae62..ccc48d84 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,13 +9,14 @@ include @{exec_path} = @{libexec}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include - include include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 76eeade0..a31ca0bd 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -12,8 +12,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include + include + include include include + include include include include @@ -42,20 +45,22 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/firejail rPUx, /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /usr/share/*ubuntu/applications/{,**} r, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, + /usr/share/terminfo/ r, /usr/share/thumbnailers/{,**} r, - /usr/share/tracker3/{,**} r, - /usr/share/*ubuntu/applications/{,**} r, /usr/share/tracker/domain-ontologies/*.rule r, + /usr/share/tracker3/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data - include / r, - /home/ r, + /*/ r, + /{usr/,}bin/ r, + @{libexec}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, owner @{HOME}/{,**} rw, @@ -74,10 +79,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, - @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, + @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, + @{sys}/devices/system/cpu/possible r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index edde0033..655a3a49 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -68,6 +68,7 @@ profile pacman @{exec_path} { /{usr/,}bin/iscsi-iname rix, /{usr/,}bin/killall rix, /{usr/,}bin/ln rix, + /{usr/,}bin/perl rix, /{usr/,}bin/pkill rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, @@ -140,7 +141,7 @@ profile pacman @{exec_path} { # Silencer, deny /tmp/ r, - deny @{HOME}/{,**} r, + deny @{HOME}/ r, profile gpg { include diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 82c31bb8..5b26e496 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -7,6 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/openssh/sftp-server +@{exec_path} += /{usr/,}lib/ssh/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 01615f94..3af0834f 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -30,6 +30,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, capability dac_read_search, + capability dac_override, capability fowner, capability kill, capability net_bind_service, @@ -65,6 +66,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/passwd rPx, /{usr/,}lib/openssh/sftp-server rPx, + /etc/shells r, /etc/default/locale r, /etc/environment r, /etc/gss/mech.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 4fdd42e0..67bd011a 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -68,7 +68,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /etc/udev/ r, /etc/udev/udev.conf r, /etc/udev/rules.d/ r, - /etc/udev/rules.d/[0-9][0-9]-*.rules r, + /etc/udev/rules.d/*.rules r, /etc/udev/hwdb.d/ r, /etc/udev/hwdb.d/[0-9][0-9]-*.hwdb r, @@ -84,8 +84,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { @{run}/udev/ rw, @{run}/udev/** rw, - @{run}/systemd/seats/seat[0-9]* r, + @{run}/systemd/network/ r, @{run}/systemd/notify rw, + @{run}/systemd/seats/seat[0-9]* r, @{sys}/** rw, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 9804592a..2312b789 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,17 +11,23 @@ include profile frontend @{exec_path} flags=(complain) { include include - include + include + include + include + include include + include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/stty rix, # debconf apps /{usr/,}{s,}bin/aspell-autobuildhash rPx, @@ -69,24 +76,16 @@ profile frontend @{exec_path} flags=(complain) { owner /tmp/file* w, owner /var/cache/debconf/* rwk, + @{HOME}/.Xauthority r, + @{run}/user/@{uid}/pk-debconf-socket rw, - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, profile scripts flags=(complain) { include include - # What's this for? (#FIXME#) capability dac_read_search, /var/lib/dpkg/info/*.config r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a82c49dd..f6de4662 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -76,8 +76,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /etc/pki/fwupd/{,**} r, /etc/pki/fwupd-metadata/{,**} r, - /etc/fwupd/{,**} r, - /etc/fwupd/remotes.d/* rw, + /etc/fwupd/{,**} rw, /var/cache/fwupd/{,**} rw, /var/lib/fwupd/{,**} rw, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index ffcf468d..f1a59ade 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -7,12 +7,13 @@ abi , include @{exec_path} = /{usr/,}bin/login -profile login @{exec_path} { +profile login @{exec_path} flags=(complain) { include include include include include + include capability chown, capability fsetid, @@ -25,6 +26,10 @@ profile login @{exec_path} { # network netlink raw, + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.* + peer=(name=org.freedesktop.login1), + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rUx, @@ -51,11 +56,7 @@ profile login @{exec_path} { owner @{user_cache_dirs}/motd.legal-displayed rw, - dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"), - - dbus send - bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"), + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index cc394a4e..84c8e5c5 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -23,8 +23,11 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { /usr/share/terminfo/x/xterm-256color r, + owner @{user_config_dirs}/nvtop/{,**} rw, + @{run}/systemd/inhibit/*.ref r, @{run}/udev/data/+drm:* r, + @{run}/udev/data/+pci* r, @{run}/udev/data/c226:[0-9]* r, @{run}/udev/data/c236:[0-9]* r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 21db8fb7..4f14bf66 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -15,6 +15,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include include if exists + capability net_admin, capability sys_nice, network inet stream, diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index cd4cf7f1..ca421551 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -24,7 +24,11 @@ profile pacmd @{exec_path} { /app/lib/libzypak*.so* mr, + owner @{run}/user/@{uid}/pulse rw, + owner @{PROC}/@{pids}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 4a2c600a..4a50de12 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -31,5 +31,7 @@ profile pactl @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{HOME}/.anyRemote/anyremote.stdout w, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 2cd837cd..8df9067b 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -12,6 +12,7 @@ profile rngd @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index acbeffb7..806b4e14 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/swtpm profile swtpm @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index fc4082e1..ac01019b 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -40,14 +40,15 @@ profile wireplumber @{exec_path} { @{run}/udev/data/c81:[0-9]* r, # For video4linux @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, @{sys}/class/ r, @{sys}/class/sound/ r, + @{sys}/devices/**/device:*/**/path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, @{sys}/devices/system/cpu/possible r, - @{sys}/devices/**/device:*/**/path r, /dev/media[0-9]* rw, /dev/snd/ r,