diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 4499c7b1..087550a2 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -58,6 +58,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 95172442..5fe4ad86 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -63,6 +63,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/tty rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{bin}/unix_chkpwd rPx, @{bin}/kwin_wayland rPUx, @{bin}/sddm-greeter rPx, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index 8326bcab..4d7e3a70 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -41,13 +41,18 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - + @{run}/snapper-tools-*/ r, + @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r, + + @{sys}/fs/btrfs/@{uuid}/exclusive_operation r, @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r, + @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r, @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, /dev/btrfs-control rw, + /dev/pts/@{int} rw, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 0e278b08..82177368 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -38,6 +38,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,z,ba,da}sh rUx, + @{bin}/unix_chkpwd rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, @@ -55,7 +56,7 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/motd.legal-displayed rw, - @{run}/motd.d/ r, + @{run}/motd.d/{,*} r, @{run}/dbus/system_bus_socket rw, @{run}/faillock/* rwk, @{run}/motd.dynamic{,.new} rw, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 904366c3..a82d9a2e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -34,6 +34,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rPx -> child-systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rPx, + @{bin}/unix_chkpwd rPx, @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/iucode-scan-versions rPx, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index b0fe9533..9f11179a 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -21,5 +21,9 @@ profile unix-chkpwd @{exec_path} { /etc/shadow r, + # file_inherit + /dev/pts/@{int} rw, + owner /dev/tty@{int} rw, + include if exists }