From 44aca3ba51f8f4de849aa55cd41afbf460adf9f5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Dec 2021 12:41:50 +0000 Subject: [PATCH] Profiles update. --- apparmor.d/abstractions/python.d/complete | 3 -- apparmor.d/groups/browsers/firefox | 3 +- apparmor.d/groups/desktop/xwayland | 17 ++++--- .../groups/gnome/evolution-alarm-notify | 1 + apparmor.d/groups/gnome/gdm | 3 +- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/gnome/gdm-wayland-session | 2 + apparmor.d/groups/gnome/gdm-x-session | 7 +-- apparmor.d/groups/gnome/gdm-xsession | 1 + apparmor.d/groups/gnome/gnome-control-center | 2 + .../gnome/gnome-control-center-print-renderer | 4 +- apparmor.d/groups/gnome/gnome-shell | 15 ++++-- apparmor.d/groups/gnome/gsd-color | 1 + apparmor.d/groups/gnome/gsd-keyboard | 1 + apparmor.d/groups/pacman/pacman | 4 +- apparmor.d/groups/pacman/pacman-hook-dkms | 6 ++- apparmor.d/groups/systemd/bootctl | 2 + apparmor.d/groups/systemd/systemd-sleep | 9 ++++ apparmor.d/groups/systemd/systemd-udevd | 3 +- apparmor.d/profiles-a-f/dig | 4 ++ apparmor.d/profiles-g-l/ip | 9 +--- apparmor.d/profiles-m-r/pass-import | 2 + apparmor.d/profiles-s-z/udisksd | 49 +++++++------------ apparmor.d/profiles-s-z/xdg-icon-resource | 4 +- 24 files changed, 88 insertions(+), 65 deletions(-) diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index a0387ee2..d645981d 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -11,6 +11,3 @@ owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r, - - # Silencer - /{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 1965fd09..ab99d403 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -25,8 +25,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include - include include + include include include include @@ -138,6 +138,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/comm r, deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pids}/cmdline r, deny owner @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/desktop/xwayland b/apparmor.d/groups/desktop/xwayland index 14464a55..3d61315a 100644 --- a/apparmor.d/groups/desktop/xwayland +++ b/apparmor.d/groups/desktop/xwayland @@ -13,6 +13,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include include + include + include signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, @@ -22,20 +24,19 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xkbcomp rPx, - /usr/share/glvnd/egl_vendor.d/{,*.json} r, + /usr/share/egl/{,**} r, /usr/share/X11/xkb/rules/evdev r, - # TMP files owner /tmp/server-[0-9]*.xkm rwk, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, + + @{sys}/bus/pci/devices/ r, + + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/comm r, - # Display Xserver on a specific TTY /dev/tty[0-9]* rw, /dev/tty rw, - # Needed for Mutter - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - - owner @{PROC}/@{pids}/cmdline r, - include if exists } diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 0d1dda4b..c4a98be1 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/evolution-data-server/evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index adf65127..aa5734d8 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/gdm -profile gdm @{exec_path} { +profile gdm @{exec_path} flags=(attach_disconnected) { include include include @@ -36,6 +36,7 @@ profile gdm @{exec_path} { /var/{lib,log}/gdm/ rw, @{run}/gdm/ rw, + @{run}/gdm/custom.conf r, @{run}/gdm/gdm.pid rw, @{run}/gdm/greeter/ rw, @{run}/systemd/seats/seat[0-9]* r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 0de67d75..b57a4a7f 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -55,6 +55,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, @{run}/faillock/[a-zA-z0-9]* rwk, + @{run}/gdm/custom.conf r, @{run}/systemd/sessions/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index a55a11fb..e8a316e5 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -39,6 +39,8 @@ profile gdm-wayland-session @{exec_path} { /usr/share/gdm/gdm.schemas r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{run}/gdm/custom.conf r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index be8662f8..5ade8675 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -19,9 +19,10 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /etc/gdm/custom.conf r, /usr/share/gdm/gdm.schemas r, /var/lib/gdm/.cache/gdm/Xauthority rw, - - @{run}/user/@{uid}/gdm/ w, - @{run}/user/@{uid}/gdm/Xauthority rw, + + owner @{run}/user/@{uid}/gdm/ w, + owner @{run}/user/@{uid}/gdm/Xauthority rw, + @{run}/gdm/custom.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 5abf933f..3049f6b1 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -27,6 +27,7 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/xhost rPx, /{usr/,}lib/gnome-session-binary rPx, + /{usr/,}bin/flatpak rPUx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c7f6af99..8464c30b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -15,6 +15,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -98,6 +99,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 5770cb83..95a07b2e 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -11,8 +11,9 @@ profile gnome-control-center-print-renderer @{exec_path} { include include include - include include + include + include @{exec_path} mr, @@ -32,6 +33,7 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{run}/user/@{uid}/dconf/user rw, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 143d8660..03423757 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -16,8 +16,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include + include capability sys_nice, capability sys_ptrace, @@ -41,6 +43,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/backgrounds/{,**} r, /usr/share/desktop-directories/{,*.directory} r, + /usr/share/egl/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -65,8 +68,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.local/share/gnome-shell/ rw, /var/lib/gdm/.local/share/applications/{,**} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/ibus/* r, @@ -139,11 +143,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/pci[0-9]*/**/drm/ r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/net/* r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 0a5ef96c..d923d5c2 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,6 +10,7 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index ab21da78..7ec0fd7c 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,6 +10,7 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 4dafe0d4..c11ddd4f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -21,6 +21,7 @@ profile pacman @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, + capability mknod, capability net_admin, capability setfcap, capability setgid, @@ -98,7 +99,8 @@ profile pacman @{exec_path} { owner /var/lib/pacman/{,**} rwl, owner /tmp/alpm_*/{,**} rw, - owner /tmp/checkup-db-[0-9]*/sync/*.db.part rw, + owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw, + owner /tmp/checkup-db-[0-9]*/db.lck rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a5125b31..4bc084b5 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -11,15 +11,17 @@ profile pacman-hook-dkms @{exec_path} { include capability dac_read_search, + capability mknod, unix (receive) type=stream, @{exec_path} mr, /{usr/,}bin/bash rix, - /{usr/,}bin/kmod rPx, /{usr/,}bin/dkms rPx, - + /{usr/,}bin/kmod rPx, + /{usr/,}bin/nproc rix, + /usr/src/ r, /usr/src/**.conf r, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 411f2e5d..d9f4a706 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -12,6 +12,8 @@ profile bootctl @{exec_path} { include include + capability mknod, + signal (send) peer=child-pager, ptrace (read) peer=unconfined, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 934748b8..70d6f09b 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -12,14 +12,23 @@ profile systemd-sleep @{exec_path} { include capability net_admin, + capability sys_admin, capability sys_resource, @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nvidia-sleep.sh rix, + /{usr/,}lib/systemd/system-sleep/nvidia rix, + /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, @{sys}/power/state rw, + @{PROC}/driver/nvidia/suspend w, + + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 51b36a82..4aa7d750 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -92,6 +92,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, + @{PROC}/devices r, @{PROC}/sys/kernel/random/boot_id r, # file_inherit diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 7fe72a44..a9e9b287 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,6 +13,9 @@ profile dig @{exec_path} { include include + capability dac_override, + capability dac_read_search, + network inet dgram, network inet6 dgram, network inet stream, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 0051de43..ffd68bd2 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -1,23 +1,18 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# When "ip netns" is issued, the following error will be printed: -# "Failed name lookup - disconnected path" error=-13 profile="ip" name="". @{exec_path} = /{usr/,}bin/ip profile ip @{exec_path} flags=(attach_disconnected) { include - # To be able to manage network interfaces. capability net_admin, - - # Needed? - #capability sys_admin, - audit deny capability sys_module, + capability sys_module, network netlink raw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 687be974..479ec147 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -22,6 +22,8 @@ profile pass-import @{exec_path} { /{usr/,}bin/python3.[0-9]* rix, /{usr/,}lib/gcc/**/collect2 rix, + /{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w, + /usr/share/file/misc/magic.mgc r, owner @{HOME}/.password-store/{,**} rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 91b0c40c..f3fcee46 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,22 +11,16 @@ include @{exec_path} += @{libexec}/udisks2/udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include - include include - - # To remove the following errors: - # udisksd[]: Error probing device: Error sending ATA command IDENTIFY DEVICE to '/dev/sda': - # SGIO v3 ioctl failed (v4 not supported): Operation not permitted (g-io-error-quark, 14) - capability sys_rawio, - - # To allow users to mount volumes - # Error mounting /dev/sd*: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: - # Error mounting /dev/sd* at /media/*/*: Operation not permitted. - capability sys_admin, + include capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability sys_admin, + capability sys_rawio, + capability setuid, + capability setgid, # Needed? deny capability sys_nice, @@ -37,28 +32,27 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/umount rix, - /{usr/,}bin/eject rPx, - /{usr/,}{s,}bin/dumpe2fs rPx, /{usr/,}{s,}bin/dmidecode rPx, - + /{usr/,}{s,}bin/dumpe2fs rPx, /{usr/,}{s,}bin/lvm rPUx, - + /{usr/,}bin/eject rPx, + /{usr/,}bin/ntfs-3g rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemd-escape rPx, # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/*/, # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, # Allow mounting of cdrom - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/loop[0-9]* -> /media/cdrom[0-9]/, - mount fstype={iso9660,udf} /dev/sr[0-9]* -> /media/cdrom[0-9]/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/, + mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/, # Allow mounting od sd cards - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/, # Allow unmounting umount @{MOUNTS}/*/, umount @{MOUNTS}/*/*/, @@ -73,11 +67,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /etc/udisks2/ r, /etc/udisks2/udisks2.conf r, - # For mounting NTFS disks - capability setuid, - capability setgid, - /{usr/,}bin/ntfs-3g rPx, - /etc/libblockdev/conf.d/ r, /etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r, diff --git a/apparmor.d/profiles-s-z/xdg-icon-resource b/apparmor.d/profiles-s-z/xdg-icon-resource index a1620d2b..f43ca2da 100644 --- a/apparmor.d/profiles-s-z/xdg-icon-resource +++ b/apparmor.d/profiles-s-z/xdg-icon-resource @@ -28,10 +28,10 @@ profile xdg-icon-resource @{exec_path} flags=(complain) { /{usr/,}bin/gtk-update-icon-cache rPx, + /usr/share/**/icons/**.png r, /usr/share/icons/**.png rw, /usr/share/icons/*/.xdg-icon-resource-dummy rw, - - /usr/share/**/icons/**.png r, + /usr/share/terminfo/x/xterm-256color r, owner /tmp/.com.google.Chrome.*/chrome-*.png r,