diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 20884670..fc08e638 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -32,8 +32,17 @@ @{bin}/gnome-text-editor rPUx, /usr/share/code/{bin/,}code rPUx, - # Others + # Emails + @{thunderbird_path} rPx, + @{bin}/geany rPUx, + + # Documents viewers + @{bin}/evince rPx, + @{bin}/okular rPx, @{bin}/*{F,f}oliate rPUx, + @{bin}/YACReader rPx, + + # Others @{bin}/blueman-tray rPx, @{bin}/discord{,-ptb} rPx, @{bin}/draw.io rPUx, @@ -41,13 +50,11 @@ @{bin}/element-desktop rPx, @{bin}/engrampa rPx, @{bin}/eog rPUx, - @{bin}/evince rPx, @{bin}/extension-manager rPx, @{bin}/file-roller rPUx, @{bin}/filezilla rPx, @{bin}/flameshot rPx, @{bin}/flatpak rPUx, - @{bin}/geany rPx, @{bin}/gimp* rPUx, @{bin}/gnome-calculator rPUx, @{bin}/gnome-disk-image-mounter rPx, @@ -62,7 +69,6 @@ @{bin}/steam-runtime rPUx, @{bin}/teams rPUx, @{bin}/telegram-desktop rPx, - @{bin}/thunderbird rPx, @{bin}/transmission-gtk rPx, @{bin}/viewnior rPUx, @{bin}/vlc rPUx, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 598f8f23..460efc5a 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -27,7 +27,7 @@ owner @{HOME}/.libao r, owner @{HOME}/.esd_auth r, - owner @{user_cache_dirs}/event-sound-cache.@{md5}.@{multiarch} rwk, # libcanberra + @{user_cache_dirs}/event-sound-cache.@{md5}.@{multiarch} rwk, # libcanberra owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/client.conf r, diff --git a/apparmor.d/abstractions/audio.d/complete b/apparmor.d/abstractions/audio.d/complete index f9e4cfce..51838adc 100644 --- a/apparmor.d/abstractions/audio.d/complete +++ b/apparmor.d/abstractions/audio.d/complete @@ -7,7 +7,7 @@ @{lib}/ladspa/ r, @{lib}/ladspa/*.so mr, - @{run}/udev/data/+sound:card@{int} r, + @{run}/udev/data/+sound:card@{int} r, # for sound card @{sys}/class/ r, @{sys}/class/sound/ r, diff --git a/apparmor.d/abstractions/audio2 b/apparmor.d/abstractions/audio2 index 730d7af5..87a00b5a 100644 --- a/apparmor.d/abstractions/audio2 +++ b/apparmor.d/abstractions/audio2 @@ -6,7 +6,7 @@ include - @{run}/udev/data/+sound:card@{int} r, + @{run}/udev/data/+sound:card@{int} r, # for sound card @{sys}/class/ r, @{sys}/class/sound/ r, diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 11c28083..17374de8 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,17 +4,17 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager - member=GetDefaultDevice + member={GetDevices,GetDefaultDevice} peer=(name=:*, label=fprintd), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager - member=GetDefaultDevice + member={GetDevices,GetDefaultDevice} peer=(name=net.reactivated.Fprint), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager - member=GetDefaultDevice + member={GetDevices,GetDefaultDevice} peer=(name=net.reactivated.Fprint, label=fprintd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index a01194a5..6775a6e6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -11,6 +11,10 @@ interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.freedesktop.PackageKit, label=packagekitd), + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit), dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.PackageKit diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 292e2db9..f31b0d40 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -37,6 +37,7 @@ deny @{user_config_dirs}/*-store/{,**} mrwkl, deny @{user_config_dirs}/chromium/{,**} mrwkl, deny @{user_password_store_dirs}/{,**} mrwkl, + deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # Deny executable mapping in writable space as allowed in abstractions/fonts deny @{HOME}/.{,cache/}fontconfig/ rw, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index d827dac6..07a1c863 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -5,7 +5,7 @@ @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, - @{lib}/frei0r-[0-9]/*.so mr, + @{lib}/frei0r-@{int}/*.so mr, # FIXME: not compatible with FSP mode due conflicting x modifiers @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mrix, diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 9cfcb76f..ad10304c 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -3,6 +3,9 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Many programs wish to perform nameservice-like operations, such as looking up +# users by name or id, groups by name or id, hosts by name or IP, etc. + @{etc_ro}/default/nss r, @{etc_ro}/gai.conf r, @{etc_ro}/group r, @@ -14,11 +17,14 @@ @{etc_ro}/resolv.conf r, @{etc_ro}/services r, - /var/lib/nscd/group r, - /var/lib/nscd/passwd r, + # On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf + @{etc_ro}/authselect/nsswitch.conf r, + # Alternative location for group & passwd files /var/lib/extrausers/group r, /var/lib/extrausers/passwd r, + /var/lib/nscd/group r, + /var/lib/nscd/passwd r, @{run}/nscd/db* r, @{run}/resolvconf/resolv.conf r, @@ -26,6 +32,14 @@ @{run}/systemd/resolve/stub-resolv.conf r, # NSS records from systemd-userdbd.service + # + # Allow User/Group lookups via common VarLink socket APIs. Applications need + # to either consult all of them or the io.systemd.Multiplexer frontend. + # + # https://systemd.io/USER_GROUP_API/ + # https://systemd.io/USER_RECORD/ + # https://www.freedesktop.org/software/systemd/man/nss-systemd.html + # @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs diff --git a/apparmor.d/abstractions/systemctl b/apparmor.d/abstractions/systemctl index 9863982c..4f83aba3 100644 --- a/apparmor.d/abstractions/systemctl +++ b/apparmor.d/abstractions/systemctl @@ -12,10 +12,14 @@ owner @{run}/systemd/private rw, + @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r,