diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 9f863a85..b0e76d68 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -39,6 +39,7 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/ rw, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/cache/debconf/tmp.ci/ r, + owner /var/cache/debconf/tmp.ci/* rix, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index e179828c..8246a542 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -39,6 +39,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, + owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 75818743..9f7740fe 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -30,7 +30,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) { /usr/share/**/icons/**.png r, /usr/share/icons/**.png rw, /usr/share/icons/*/.xdg-icon-resource-dummy rw, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, owner /tmp/.com.google.Chrome.*/chrome-*.png r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 364c6a8b..97a4da2f 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -33,7 +33,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/xprop rPx, @{bin}/ktraderclient5 rPx, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/mimeapps.list{,.new} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 4153c11e..5bc0ca6b 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -34,7 +34,7 @@ profile xdg-settings @{exec_path} { @{bin}/xdg-mime rPx, @{bin}/xprop rPx, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/xdg/xfce4/helpers.rc r, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d27d5cf3..e4dbe258 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -29,6 +29,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability sys_tty_config, + network netlink raw, + signal (receive) set=term peer=gdm, signal (receive) set=hup peer=@{systemd}, signal (send) set=hup peer=at-spi*, @@ -45,8 +47,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=xwayland, signal (send) set=term peer=gdm-*-session, - network netlink raw, - dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=*Session diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index e6586162..a6631d7b 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -30,7 +30,7 @@ profile gnome-extensions-app @{exec_path} { /usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /usr/share/X11/xkb/{,**} r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index a4dc52d9..ee7f9410 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -73,6 +73,9 @@ profile gnome-terminal-server @{exec_path} { /etc/pulse/client.conf.d/{,**} r, /etc/shells r, + /var/lib/flatpak/exports/share/icons/{,**} r, + /var/lib/snapd/desktop/icons/{,**} r, + owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk, owner @{user_config_dirs}/*xdg-terminals.list* rw, @@ -81,6 +84,8 @@ profile gnome-terminal-server @{exec_path} { owner @{run}/user/@{uid}/pulse/ r, owner @{run}/user/@{uid}/pulse/native rw, + owner /tmp/#@{int} rw, + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index a821c61a..8f1d6770 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -91,10 +91,10 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, @@ -108,6 +108,7 @@ profile gsd-xsettings @{exec_path} { /etc/X11/Xresources/ r, + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 76845e2a..33b0699c 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -114,13 +114,13 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, - /usr/share/terminfo/ r, + /usr/share/terminfo/** r, /usr/share/thumbnailers/{,**} r, /usr/share/tracker*/{,**} r, /etc/fstab r, - /var/cache/fontconfig/ r, + /var/cache/fontconfig/ rw, /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index fb8148c8..cb701a0e 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -72,7 +72,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /etc/default/grub.d/{*,} r, /usr/share/grub/{**,} r, - /usr/share/terminfo/{,x/xterm-256color} r, + /usr/share/terminfo/** r, /.zfs/snapshot/*/boot/ r, /.zfs/snapshot/*/etc/{machine-id,} r, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index 67e882f9..55ebaefa 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -12,7 +12,7 @@ profile iwctl @{exec_path} { @{exec_path} mr, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/inputrc r, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index f60123bb..bb154586 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -28,7 +28,7 @@ profile wg-quick @{exec_path} { @{bin}/wg rPx, @{bin}/xtables-nft-multi rix, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/iproute2/group r, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 7f86ef1e..214a8100 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -25,7 +25,7 @@ profile arch-audit @{exec_path} { /etc/arch-audit/settings.toml r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /var/lib/pacman/local/{,**} r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 3b5b79ad..eac46d3b 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -43,7 +43,7 @@ profile aurpublish @{exec_path} { @{bin}/wc rix, /usr/share/makepkg/{,**} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/makepkg.conf r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 1cacb88a..8ef5431e 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -85,7 +85,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /usr/share/plymouth/*.png r, /usr/share/plymouth/plymouthd.defaults r, /usr/share/plymouth/themes/{,**} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, # Can copy any program to the initframs /{usr/,}{local/,}{s,}bin/ r, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 1433f1ef..bcc47498 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -29,7 +29,7 @@ profile paccache @{exec_path} { @{bin}/xargs rix, /usr/share/makepkg/util/*.sh r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /var/cache/pacman/pkg/{,*} rw, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 63e3bcbe..c8a9ba9c 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -31,7 +31,7 @@ profile pacman-key @{exec_path} { /usr/share/makepkg/{,**} r, /usr/share/pacman/keyrings/{,*} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/pacman.d/gnupg/gpg.conf r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 7e357cdb..eaade5ab 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -30,7 +30,10 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, - + /etc/machine-id r, + /etc/ssh/ssh_config r, + /etc/ssh/ssh_config.d/{,*} r, + owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_SSH_DIR}/config r, @@ -40,17 +43,12 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/{,*} r, - # Needed to work for systemd-homed users - /etc/machine-id r, - @{run}/systemd/userdb/ r, - + owner /tmp/ssh-*/{,agent.[0-9]*} rwkl, + owner @{run}/user/@{uid}/keyring/ssh rw, + owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, - owner /tmp/ssh-*/{,agent.[0-9]*} rwkl, - include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index f21a12e6..dd5f7ba6 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -61,7 +61,7 @@ profile coredumpctl @{exec_path} flags=(complain) { /usr/share/gcc/** r, /usr/share/gdb/{,**} r, /usr/share/glib-2.0/gdb/{,**} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/inputrc r, /etc/gdb/** r, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index e59777f6..2e39cf52 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -25,7 +25,6 @@ profile systemd-shutdown @{exec_path} { @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cmdline r, - @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/sys/kernel/core_pattern w, owner @{PROC}/sys/kernel/printk rw, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 91dafb2a..4453d7e0 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/apport/apport -profile apport @{exec_path} { +profile apport @{exec_path} flags=(attach_disconnected) { include include include @@ -15,7 +15,11 @@ profile apport @{exec_path} { include capability fsetid, + capability setgid, + capability setuid, + capability sys_ptrace, + ptrace (read) peer=gnome-shell, ptrace (read) peer=snap.cups.cupsd, @{exec_path} mr, @@ -27,11 +31,11 @@ profile apport @{exec_path} { @{run}/apport.lock rwk, - @{PROC}/sys/fs/suid_dumpable w, - @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/core_pattern w, - @{PROC}/sys/kernel/core_pipe_limit w, - owner @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/fs/suid_dumpable w, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/core_pattern w, + @{PROC}/sys/kernel/core_pipe_limit w, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 39e41ec6..db2a8e29 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -14,23 +14,25 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, capability syslog, - ptrace (read), - network inet dgram, network inet6 dgram, + # mqueue type=posix /, + + ptrace (read), + @{exec_path} mr, @{bin}/{,ba,da}sh rix, @{bin}/fuser rix, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/unix r, - owner @{PROC}/@{pid}/stat r, @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/maps r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/unix r, + owner @{PROC}/@{pid}/stat r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index 07222cf2..4c264491 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -19,7 +19,7 @@ profile aa-enforce @{exec_path} { @{bin}/ r, @{bin}/apparmor_parser rPx, - /usr/share/terminfo/{,**} r, + /usr/share/terminfo/** r, /etc/apparmor/logprof.conf r, /etc/apparmor.d/{,**} rw, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 5f68dd21..a7632528 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -25,18 +25,15 @@ profile aa-notify @{exec_path} { /etc/apparmor/*.conf r, /etc/inputrc r, - /usr/etc/inputrc.keys r, - /usr/share/terminfo/d/dumb r, - /usr/share/terminfo/x/xterm r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /var/log/audit/audit.log r, owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner /tmp/*@{rand6} rw, + owner /tmp/@{rand8} rw, owner /tmp/apparmor-bugreport-*.txt rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown index 25483997..5640087f 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/profiles-a-f/aa-teardown @@ -18,7 +18,7 @@ profile aa-teardown @{exec_path} { @{bin}/{,ba,da}sh rix, @{lib}/apparmor/apparmor.systemd rPx, - /usr/share/terminfo/x/* r, + /usr/share/terminfo/** r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 874a3a57..0e5eae47 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -40,8 +40,8 @@ profile atril @{exec_path} { @{bin}/atril-previewer rPx, - @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, - @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, + @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix, /usr/share/atril/{,**} r, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 7812baa2..e57c2ce8 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -21,7 +21,7 @@ profile code-extension-git-askpass @{exec_path} { @{bin}/rm rix, @{lib}/electron@{int}/electron rix, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, owner /tmp/tmp.* rw, diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index e454571b..f37316a1 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -21,7 +21,7 @@ profile dmesg @{exec_path} { @{bin}/less rPx -> child-pager, /dev/kmsg r, - /usr/share/terminfo/{,**} r, + /usr/share/terminfo/** r, deny /{usr/,}local/bin/ r, deny @{bin}/{,*/} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index cf6f2b7e..879ea90e 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gdk-pixbuf-query-loaders profile gdk-pixbuf-query-loaders @{exec_path} { include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 7e8323cd..98b872c2 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -78,7 +78,7 @@ profile git @{exec_path} { @{bin}/vim.* rCx -> editor, /usr/share/git{,-core}/{,**} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/gitconfig r, /etc/mailname r, @@ -175,7 +175,7 @@ profile git @{exec_path} { @{bin}/which{,.debianutils} rix, /usr/share/vim/{,**} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/vimrc r, /etc/vim/{,**} r, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 90fabfb3..e22c416a 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 8f1ef80e..0776d2bf 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -18,16 +18,18 @@ profile htop @{exec_path} { capability sys_nice, capability sys_ptrace, - signal (send), - ptrace (read), - network netlink raw, + signal (send), + signal (receive) set=(hup) peer=gnome-terminal-server, + + ptrace (read), + @{exec_path} mr, @{bin}/lsof rix, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/sensors.d/ r, /etc/sensors3.conf r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fecf090c..6ada1972 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -28,7 +28,7 @@ profile hugo @{exec_path} { /usr/share/git{,-core}/{,**} r, /usr/share/mime/{,**} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index 1a4617ae..508d0455 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,12 +11,12 @@ include profile jami-gnome @{exec_path} { include include - include - include - include - include include include + include + include + include + include include include include @@ -24,6 +25,12 @@ profile jami-gnome @{exec_path} { @{exec_path} mr, + @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix, + + /usr/share/ring/{,**} r, + /usr/share/sounds/jami-gnome/{,**} r, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/jami-gnome/ rw, owner @{user_cache_dirs}/jami-gnome/** rw, @@ -38,11 +45,9 @@ profile jami-gnome @{exec_path} { owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, - @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, - @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, - - /usr/share/ring/{,**} r, - /usr/share/sounds/jami-gnome/{,**} r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/** r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/smaps r, @@ -50,9 +55,5 @@ profile jami-gnome @{exec_path} { owner @{PROC}/@{pid}/cgroup r, @{PROC}/zoneinfo r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, - include if exists } diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 81fa7816..ee94e843 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# Copyright (C) 2021-203 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 7f3310a8..95798bab 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -28,7 +28,7 @@ profile modprobed-db @{exec_path} { @{bin}/uniq rix, @{bin}/wc rix, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, owner @{user_config_dirs}/modprobed-db.conf r, owner @{user_config_dirs}/modprobed.db rw, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 5c270a5d..509f913e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -22,7 +22,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, owner @{user_config_dirs}/nvtop/{,**} rw, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index bba20dec..373140a9 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -51,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{lib}/os-probes/{,**} rix, /usr/share/os-prober/common.sh r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /var/lib/os-prober/{,**} rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 8d014130..2e69c5ab 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -55,7 +55,7 @@ profile pass @{exec_path} { @{bin}/qrencode rPUx, # pass-otp @{bin}/tomb rPUx, # pass-tomb - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, owner @{user_password_store_dirs}/{,**} rw, owner /dev/shm/pass.*/{,*} rw, @@ -75,7 +75,7 @@ profile pass @{exec_path} { /etc/vim/{,**} r, /etc/vimrc r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /usr/share/vim/{,**} r, /tmp/ r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index 491b097f..cf6f9f62 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -15,7 +15,7 @@ profile pinentry-curses @{exec_path} { @{bin}/{,ba,da}sh rix, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 5762132b..39fe1c31 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -103,7 +103,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) /usr/lib/os-release rk, /usr/share/fonts/**.{ttf,otf} rk, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /usr/share/themes/{,**} r, /usr/share/X11/{,**} r, /usr/share/zenity/* r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 6c15d14e..d7d48473 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -55,8 +55,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { mount -> /tmp/newroot/, umount /{,oldroot/}, - pivot_root /newroot/, - pivot_root oldroot=/tmp/oldroot/ /tmp/, + pivot_root oldroot=/newroot/ -> /newroot/, + pivot_root oldroot=/tmp/oldroot/ -> /tmp/, signal (receive) peer=steam, @@ -122,7 +122,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { /usr/share/egl/{,**} r, /usr/share/icons/{,**} r, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, /etc/machine-id r, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 50340488..14d76ad8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -16,7 +16,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { capability sys_boot, - dbus (bind) bus=system name=org.freedesktop.thermald, + dbus bind bus=system name=org.freedesktop.thermald, dbus send bus=system path=/net/hadess/PowerProfiles interface=org.freedesktop.DBus.Properties @@ -25,8 +25,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/thermald/thermal-conf.xml r, - /etc/thermald/thermal-cpu-cdev-order.xml r, + /etc/thermald/{,*} r, owner @{run}/thermald/ rw, owner @{run}/thermald/thd_preference.conf rw, diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 8c657671..9591cee8 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -31,7 +31,7 @@ profile top @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/** r, @{PROC}/ r, @{PROC}/loadavg r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index ddcdab8b..0a3de6a5 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2022 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -23,6 +23,8 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { capability net_raw, capability sys_module, + network inet dgram, + network inet6 dgram, network netlink raw, network packet dgram, network packet raw, @@ -30,7 +32,8 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { dbus bind bus=system name=fi.w1.wpa_supplicant1, dbus receive bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties - member=GetAll, + member=GetAll + peer=(name=:*), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index f763aa50..4e102e65 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -12,13 +12,13 @@ profile xinit @{exec_path} { include include - @{exec_path} mr, - signal (receive) set=(usr1) peer=xorg, signal (send) set=(term, kill) peer=xorg, signal (send) set=(hup), + @{exec_path} mr, + @{bin}/ r, @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, @@ -86,6 +86,7 @@ profile xinit @{exec_path} { owner /dev/tty@{int} rw, owner @{HOME}/.xsession-errors w, + include if exists } profile udevadm { @@ -95,25 +96,26 @@ profile xinit @{exec_path} { /etc/udev/udev.conf r, - owner @{PROC}/@{pid}/stat r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - + @{run}/udev/data/* r, + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/stat r, # file_inherit owner /dev/tty@{int} rw, owner @{HOME}/.xsession-errors w, + include if exists } include if exists