diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 104804eb..7eec8460 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -127,7 +127,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/crash/{,*.@{uid}.crash} rw, /var/lib/apt/extended_states{,.*} rw, - /var/lib/apt/lists/** rw, + /var/lib/apt/lists/{,**} rw, /var/lib/apt/lists/lock rwk, /var/lib/apt/periodic/update-success-stamp rw, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index ea1b026a..c112829b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -25,6 +25,8 @@ profile evolution-source-registry @{exec_path} { interface=org.freedesktop.DBus.Introspectable peer=(name=:*, label=gnome-shell), + dbus bind bus=session name=org.gnome.evolution.dataserver.Sources[0-9], + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index f6eaf8ab..4d4f9050 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -31,14 +31,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-daemon, signal (send) set=hup peer=dbus-run-session, + signal (send) set=hup peer=dconf-service, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, + signal (send) set=hup peer=tracker-miner, + signal (send) set=hup peer=xdg-permission-store, signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, - signal (send) set=hup peer=xdg-permission-store, - signal (send) set=hup peer=tracker-miner, signal (send) set=term peer=gdm-*-session, network netlink raw, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index 2e2b5623..f27cdf5b 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -39,6 +39,8 @@ profile gnome-extension-manager @{exec_path} { /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 26049757..68a2f341 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -143,6 +143,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{bin}/gsettings-data-convert rix, @{bin}/mkdir rix, @{bin}/session-migration rix, + @{bin}/touch rix, @{bin}/xdg-user-dirs-gtk-update rix, @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix, @{lib}/at-spi-bus-launcher rPx, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index f30b1e3f..548c81b3 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -11,14 +11,15 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include include include include - include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 5a8a5bb2..3120e5bd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -42,6 +42,9 @@ profile gvfsd-metadata @{exec_path} { /var/lib/gdm{3,}/.local/share/gvfs-metadata/{,*} rw, + owner @{HOME}/.local/ w, + + owner @{user_share_dirs}/ w, owner @{user_share_dirs}/gvfs-metadata/{,*} rw, owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index d5cd6e19..29036dd7 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -17,10 +17,19 @@ profile drkonqi @{exec_path} { network inet6 stream, network netlink raw, + signal send set=(cont, stop) peer=/usr/bin/akonadiserver, + + ptrace read peer=/usr/bin/akonadiserver, + @{exec_path} mr, /usr/share/drkonqi/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/knotifications5/*.notifyrc r, + + owner @{user_cache_dirs}/kcrash-metadata/* w, + + owner /tmp/xauth_@{rand6} r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 4a598e85..cac446fe 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -16,18 +16,29 @@ profile kactivitymanagerd @{exec_path} { @{exec_path} mr, + /etc/xdg/menus/{,*/} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/kservices5/{,**} r, /etc/xdg/kdeglobals r, /etc/machine-id r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + + owner @{user_cache_dirs}/ksycoca5_* r, + owner @{user_config_dirs}/kactivitymanagerdrc r, owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/RecentDocuments/ r, owner @{user_share_dirs}/RecentDocuments/*.desktop w, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4a44ec24..b970825c 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -45,6 +45,9 @@ profile kcminit @{exec_path} { owner /tmp/kcminit.@{rand6} rwl, owner /tmp/#@{int} rw, + owner /tmp/.touchpaddefaults wl, + owner /tmp/.touchpaddefaults.lock rwk, + @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index fd778286..ab66d94f 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -104,6 +104,7 @@ profile kded5 @{exec_path} { owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk, owner @{user_share_dirs}/kded5/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, + owner @{user_share_dirs}/kservices5/{,**} r, owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index 3642bb24..4d5a0ca4 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -46,12 +46,15 @@ profile kioslave5 @{exec_path} { /etc/xdg/kwinrc r, /etc/xdg/menus/{,**} r, + owner @{MOUNTDIRS}/** r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_cache_dirs}/thumbnails/*/ r, + owner @{user_cache_dirs}/kio_http/* rwl, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, @@ -61,6 +64,7 @@ profile kioslave5 @{exec_path} { owner @{user_share_dirs}/baloo/index-lock rwk, owner @{user_share_dirs}/baloo/index rw, + @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 5537ca65..0fbc0e8d 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -29,10 +29,14 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + ptrace read peer=pinentry-qt, + signal (send), dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*} @@ -145,6 +149,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma/plasmoids/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kdesud_:1 w, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 3c3c4d94..419dd526 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -87,6 +87,8 @@ profile xdm-xsession @{exec_path} { owner /tmp/ssh-*/ rw, owner /tmp/ssh-*/agent.* rw, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index e05610d9..c64d896e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -118,7 +118,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { /etc/iproute2/group r, /etc/iproute2/rt_tables.d/ r, /etc/iproute2/rt_tables rw, - /etc/iproute2/sed* rw, + /etc/iproute2/sed@{rand6} rw, owner @{PROC}/sys/net/ipv{4,}/route/flush w, diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 91d38be9..7f86ef1e 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -35,5 +35,7 @@ profile arch-audit @{exec_path} { @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + /dev/pts/@{int} rw, + include if exists } diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 801e9d39..950db8d9 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -42,6 +42,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /var/{,**} r, /dev/tty rw, + /dev/pts/@{int} rw, # Inherit Silencer deny /apparmor/.null rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index c9fe9d1b..4f8638cd 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -7,8 +7,7 @@ abi , include -@{exec_path} = @{bin}/udevadm -@{exec_path} += @{lib}/systemd/systemd-udevd +@{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index d4ffa988..0e7725b3 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -15,6 +15,11 @@ profile livepatch-notification @{exec_path} { include include + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=at-spi-bus-launcher), + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 3356d25a..0fa35270 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -32,11 +32,13 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + mount fstype=overlayfs overlay -> /var/lib/docker/overlay2/*/merged/, mount options=(rw, bind) -> /run/docker/netns/*, mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/, mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/, mount options=(rw, rprivate) -> /.pivot_root[0-9]*/, mount options=(rw, rslave) -> /, + umount /.pivot_root[0-9]*/, umount /run/docker/netns/*, umount /var/lib/docker/overlay*/**/, diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index f0fa601a..e2b815c1 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -15,16 +15,25 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { network netlink raw, ptrace (read) peer=virtqemud, + ptrace (read) peer=unconfined, @{exec_path} mr, @{bin}/dnsmasq rPx, - @{run}/utmp rk, + /etc/libvirt/libvirt.conf r, + + owner /var/lib/libvirt/dnsmasq/*.macs* rw, + + @{run}/libvirt/network/default.pid r, @{run}/systemd/inhibit/*.ref rw, + @{run}/utmp rk, + owner @{run}/libvirt/common/system.token rwk, + owner @{run}/libvirt/network/{,**} rwk, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/network/{,**} rwk, owner @{run}/user/@{uid}/libvirt/virtnetworkd* rwk, + owner @{run}/virtnetworkd.pid w, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index af21d1d2..8eb0c13b 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -15,22 +15,33 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, + capability sys_admin, + network netlink raw, ptrace (read) peer=virtqemud, + ptrace (read) peer=unconfined, @{exec_path} mr, @{bin}/mdevctl rPx, /usr/share/hwdata/*.ids r, + /usr/share/pci.ids r, + /etc/libvirt/libvirt.conf r, + /etc/libvirt/virtnodedevd.conf r, /etc/mdevctl.d/{,**} r, @{run}/systemd/inhibit/*.ref rw, + owner @{run}/libvirt/common/system.token rwk, + owner @{run}/libvirt/nodedev/ rw, + owner @{run}/libvirt/nodedev/driver.pid wk, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk, owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk, + owner @{run}/virtnodedevd.pid wk, @{run}/utmp rk, @@ -49,9 +60,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c1:[0-9]* r, # For RAM disk @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* + @{run}/udev/data/c21:[0-9]* r, # Generic SCSI access @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* @{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/c202:[0-9]* r, # CPU model-specific registers @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c24[0-9]:[0-9]* r, @@ -62,6 +75,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n[0-9]* r, @{sys}/**/ r, + @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, @@ -71,13 +85,14 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, + @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, @{sys}/devices/virtual/net/{,**} r, @{sys}/kernel/iommu_groups/ r, @{sys}/kernel/iommu_groups/@{int}/devices/ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/mtrr w, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 366f01e5..55fd3137 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -14,15 +14,32 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, + network netlink raw, ptrace (read) peer=virtqemud, + ptrace (read) peer=unconfined, @{exec_path} mr, @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper + /etc/libvirt/libvirt.conf r, + + # For disk images + @{MOUNTS}/ r, + @{user_img_dirs}/{,**} r, + + # System VM images + /var/lib/libvirt/images/{,**} rw, + + # User VM images + owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/libvirt/{,**} rw, + owner @{user_vm_dirs}/{,**} rw, + owner @{user_config_dirs}/libvirt/storage/{,**} rw, owner @{user_share_dirs}/gnome-boxes/images/{,*} rw, @@ -34,6 +51,10 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk, owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk, + owner @{run}/libvirt/common/system.token rwk, + owner @{run}/libvirt/storage/{,**} rwk, + owner @{run}/virtstoraged.pid rwk, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/utmp rwk, diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index b658ccad..49d41be3 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -24,8 +24,6 @@ profile multipath @{exec_path} { @{sys}/bus/ r, @{sys}/class/ r, - @{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/ r, - @{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/** r, @{PROC}/devices r, @{PROC}/sys/fs/nr_open r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index d6158b67..0b330712 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -99,12 +99,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/arch-audit rPx, # only: arch + @{bin}/dpkg rPx -> child-dpkg, # only: dpkg @{bin}/glib-compile-schemas rPx, @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, - @{lib}/apt/methods/* rPx, + @{lib}/apt/methods/* rPx, # only: dpkg @{lib}/cnf-update-db rPx, @{lib}/update-notifier/update-motd-updates-available rPx, @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile @@ -126,6 +126,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{run}/zypp.pid rwk, # only: opensuse owner @{run}/systemd/users/@{uid} r, owner @{run}/zypp-rpm.pid rwk, # only: opensuse + owner @{run}/zypp/packages/ r, # only: opensuse owner /dev/shm/AP_0x@{rand6}/{,**} rw, owner /dev/shm/ r, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 2ee465d6..8db8446d 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,32 +10,43 @@ include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include - include - include - include - include - include include + include + include + include + include include include include + include + include + include @{exec_path} mr, - owner @{PROC}/@{pid}/cmdline r, - - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, + /usr/share/hwdata/pnp.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/qt5ct/** r, - owner @{user_cache_dirs}/#@{int} rw, - /var/lib/dbus/machine-id r, /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, - /dev/shm/#@{int} rw, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/qt5ct/{,**} r, + + owner /tmp/xauth_@{rand6} r, + owner /dev/shm/#@{int} rw, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + + owner @{PROC}/@{pid}/cmdline r, include if exists } diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 1a63f09d..b2a82dad 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -32,6 +32,8 @@ profile sbctl @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /dev/pts/@{int} rw, + # File Inherit deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 834776d3..18f2f25a 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -30,5 +30,7 @@ profile sfdisk @{exec_path} { # For disk images owner @{user_img_dirs}/{,**} rwk, + owner @{sys}/devices/pci[0-9]*/**/model r, + include if exists } diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index e0bfd90f..46813dac 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}lib/snapd/snapd +@{exec_path} = @{lib}/snapd/snapd /snap/snapd@{lib}/snapd/snapd profile snapd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 2444f88d..4c166422 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -33,6 +33,11 @@ profile spice-vdagent @{exec_path} { member=EventListenerDeregistered peer=(name=:*, label=at-spi2-registryd), + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 0502fa50..09792bd3 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -45,7 +45,8 @@ profile su @{exec_path} { @{bin}/{,b,d,rb}ash rUx, @{bin}/{c,k,tc,z}sh rUx, - @{bin}/nologin rPx, + + @{bin}/nologin rPx, @{etc_ro}/default/su r, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index d66d1d78..a68df18f 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -51,12 +51,11 @@ profile sudo @{exec_path} { @{exec_path} mr, - @{lib}/sudo/** mr, - @{bin}/{,b,d,rb}ash rUx, @{bin}/{c,k,tc,z}sh rUx, - @{lib}/cockpit/cockpit-askpass rPx, - @{lib}/molly-guard/molly-guard rPx, + + @{lib}/** rPUx, + @{lib}/sudo/** mr, /snap/snapd/@{int}/usr/bin/snap rPx, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 15980a19..d3ae841d 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -58,6 +58,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, + /usr/share/pci.ids r, /usr/share/virt-manager/{,**} r, /usr/share/virtio/{,*} r, /var/lib/usbutils/*.ids r, diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index c6224b77..0aadf7a6 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -16,8 +16,8 @@ profile xclip @{exec_path} { @{exec_path} mr, - # Mutt owner /tmp/mutt-* rw, + owner /tmp/xauth_@{rand6} r, owner @{HOME}/.Xauthority r,