diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 6ee3699b..cd15e619 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -14,7 +14,12 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name="{:*,org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + member={MakeThreadRealtime,MakeThreadHighPriority} + peer=(name=:*, label=rtkit-daemon), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadRealtime,MakeThreadHighPriority} + peer=(name=org.freedesktop.RealtimeKit1), include if exists diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index 9e930cf8..45ec3227 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -16,6 +16,8 @@ profile dconf-editor @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + # When GSETTINGS_BACKEND=keyfile owner @{user_config_dirs}/glib-2.0/ rw, owner @{user_config_dirs}/glib-2.0/settings/ rw, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 476c10b7..a68b6faf 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -62,22 +62,11 @@ profile pulseaudio @{exec_path} { member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member={Found,Free} peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - # No label in rule - dbus send bus=system path=/org/freedesktop/RealtimeKit@{int} - interface=org.freedesktop.RealtimeKit@{int} - member=MakeThreadHighPriority - peer=(name=org.freedesktop.RealtimeKit@{int}), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index cdd9b830..e41f2e79 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -34,6 +34,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index 43c96e87..83972995 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/update-notifier/notify-reboot-required +@{exec_path} = /usr/share/{update,reboot}-notifier/notify-reboot-required profile notify-reboot-required @{exec_path} { include include @@ -17,7 +17,7 @@ profile notify-reboot-required @{exec_path} { @{bin}/gettext rix, @{bin}/snap rPUx, - /usr/share/update-notifier/notify-reboot-required r, + /usr/share/{update,reboot}-notifier/notify-reboot-required r, @{run}/reboot-required rw, @{run}/reboot-required.pkgs rw, diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 7fec2d04..653895c5 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -15,6 +15,9 @@ include profile element-desktop @{exec_path} { include include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index fa21ed79..fdaf80dc 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -12,7 +12,9 @@ profile evince @{exec_path} { include include include + include include + include include include include @@ -26,7 +28,9 @@ profile evince @{exec_path} { deny network inet, deny network inet6, - #aa:dbus own bus=session name=org.gnome.evince.Daemon + #aa:dbus own bus=session name=org.gnome.evince + + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index cd665a11..416e64e3 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -24,7 +24,7 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,*} r, + /usr/share/mime/{,**} r, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index f6bd81aa..4529c2c5 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -101,8 +101,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/*/ rw, @{run}/ r, - @{run}/mount/utab{,.*} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab{,.*} rwk, @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index c65d03cf..50873b49 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -15,6 +15,9 @@ profile vlc @{exec_path} { include include include + include + include + include include include include @@ -32,54 +35,8 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - dbus bind bus=session name=org.kde.StatusNotifierItem-*, - - dbus bind bus=session name=org.mpris.MediaPlayer2.vlc*, - dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - peer=(name="{org.freedesktop.DBus,:*}"), # all members - dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.* - peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher), - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member={Get,RegisterStatusNotifierItem} - peer=(name=org.kde.StatusNotifierWatcher), - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name=org.kde.StatusNotifierWatcher), - - dbus send bus=session path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon} - peer=(name=org.freedesktop.DBus), - - dbus receive bus=session path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member=Activate - peer=(name=:*), - - dbus receive bus=session path=/StatusNotifierItem - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=:*), - - dbus send bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member={LayoutUpdated,ItemsPropertiesUpdated} - peer=(name=org.freedesktop.DBus), - - dbus (send receive) bus=session path=/MenuBar - interface=com.canonical.dbusmenu - peer=(name=:*), + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc + #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined @{exec_path} mrix,