diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 0a9df102..26efae51 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -47,14 +47,16 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform* r, @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+sdio:* r, @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, - @{run}/udev/data/+sdio:* r, + @{run}/udev/data/c1:[0-9]* r, @{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c4:[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index dd6751c7..2144f299 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-makefs profile systemd-makefs @{exec_path} { include - include + include include capability net_admin, diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 00c7c193..c79af21c 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -31,5 +31,9 @@ profile mount-zfs @{exec_path} flags=(complain) { umount /, umount /*/, + @{PROC}/@{pids}/mounts r, + + /dev/zfs rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index f3a048c4..4254d9bb 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -79,6 +79,7 @@ profile run-parts @{exec_path} { /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, + /etc/network/if-up.d/postfix rPUx, /etc/network/if-up.d/wpasupplicant rPUx, # Motd diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index d1877ade..1460d0f0 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -13,6 +13,7 @@ profile sudo @{exec_path} { include include include + include include include # include @@ -32,9 +33,13 @@ profile sudo @{exec_path} { ptrace (read), - # signal, signal (send) set=(cont,hup) peer=su, + dbus send bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member=CreateSession + peer=(name=org.freedesktop.login[0-9]), + @{exec_path} mr, /run/ r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 7aef7a99..bb1cfc9e 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -29,6 +29,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{run}/udev/data/+drm:* r, + @{run}/udev/data/+pci:* r, @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 74304f9a..552227bc 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -14,6 +14,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { include include include + include capability chown, capability dac_override,