diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 12eea120..50cbab8a 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -4,7 +4,7 @@ dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged},Set + member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap index b470033f..cf3ea112 100644 --- a/apparmor.d/groups/_full/bwrap +++ b/apparmor.d/groups/_full/bwrap @@ -14,7 +14,6 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include capability dac_override, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index f5291bb1..df733b16 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -21,7 +21,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/file rix, @{bin}/head rix, - @{bin}/kbuildsycoca5 rPx, @{bin}/mv rix, @{bin}/readlink rix, @{bin}/realpath rix, @@ -31,9 +30,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/which{,.debianutils} rix, @{bin}/gio rPx, + @{bin}/kbuildsycoca5 rPx, + @{bin}/ktraderclient5 rPUx, @{bin}/mimetype rPx, @{bin}/xprop rPx, - @{bin}/ktraderclient5 rPUx, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 5ba9ef54..7e12ac04 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -13,12 +13,12 @@ profile kauth-kded-smart-helper @{exec_path} { include include - # dbus: own bus=system name=org.kde.kded.smart + #aa:dbus own bus=system name=org.kde.kded.smart dbus send bus=system path=/ - interface=org.kde.kf5auth - member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + interface=org.kde.kf5auth + member=remoteSignal + peer=(name=org.freedesktop.DBus, label=kded5), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca5 index 8173be58..09a8c945 100644 --- a/apparmor.d/groups/kde/kbuildsycoca5 +++ b/apparmor.d/groups/kde/kbuildsycoca5 @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Jeroen Rijken +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,20 +10,13 @@ include @{exec_path} = @{bin}/kbuildsycoca5 profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/applications/kde-mimeapps.list r, - /usr/share/mime/mime.cache r, - /usr/share/mime/types r, - /var/lib/flatpak/exports/share/mime/types r, - - owner @{user_cache_dirs}/ksycoca5_* l -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksycoca5_* rw, - owner @{user_config_dirs}/mimeapps.list r, - owner @{user_share_dirs}/applications/mimeapps.list r, - owner @{user_share_dirs}/mime/types r, + link owner @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int}, /dev/tty r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index d9cfaf0f..7c675c11 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -15,7 +15,6 @@ profile kded @{exec_path} { include include include - include include include include @@ -34,40 +33,9 @@ profile kded @{exec_path} { signal (send) set=hup peer=xsettingsd, - # dbus: own bus=system name=com.redhat.NewPrinterNotification - - dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent - interface=org.freedesktop.NetworkManager.SecretAgent - member={GetSecrets,CancelGetSecrets} - peer=(label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} - interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,AccessPointAdded,AccessPointRemoved} - peer=(label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - peer=(label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - peer=(label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/bolt - interface=org.freedesktop.bolt1.Manager - member=ListDevices - peer=(name="{:*,org.freedesktop.bolt}", label=boltd), - - dbus send bus=system path=/org/freedesktop/bolt{,/**} - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name="{:*,org.freedesktop.bolt}", label=boltd), + #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd dbus receive bus=system path=/ interface=org.kde.kf5auth diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 403c7eb5..f3456eec 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -46,8 +46,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/ r, @{lib}/libheif/{,**} mr, - @{lib}/kf5/kdesu{,d} rix, - @{bin}/dolphin rPUx, # TODO: rPx, + + @{bin}/dolphin rPx, @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 55896c8c..181e4c60 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -58,21 +58,20 @@ profile sddm-xsession @{exec_path} { #@{bin}/openbox-session rPx, #@{bin}/openbox rPx, + @{system_share_dirs}/im-config/data/{,*} r, + @{system_share_dirs}/im-config/xinputrc.common r, + /etc/default/{,*} r, /etc/X11/{,**} r, owner @{HOME}/.xinputrc r, owner @{HOME}/.xsession-errors rw, - @{HOME}/tmp.* rw, - - @{system_share_dirs}/im-config/data/{,*} r, - @{system_share_dirs}/im-config/xinputrc.common r, owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - owner @{tmp}/tmp.* rw, + audit owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 7c11a414..1010c0a4 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -18,10 +18,7 @@ profile startplasma @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/env rix, - - @{bin}/{,ba,da}sh rix, + @{sh_path} rix, @{bin}/env rix, @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, @@ -47,9 +44,6 @@ profile startplasma @{exec_path} { /var/lib/flatpak/exports/share/mime/ r, - @{HOME}/ r, - @{HOME}/.xsession-errors w, - @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 478dabbd..1af32ce8 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -21,9 +21,10 @@ profile systemsettings @{exec_path} { @{bin}/kcminit rPx, - /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kcm_networkmanagement/{,**} r, + /usr/share/kcmkeys/{,*.kksrc} r, + /usr/share/kglobalaccel/* r, + /usr/share/kinfocenter/{,**} r, /usr/share/kinfocenter/{,**} r, /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, @@ -31,11 +32,8 @@ profile systemsettings @{exec_path} { /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, - /usr/share/systemsettings/{,**} r, - /usr/share/kinfocenter/{,**} r, /usr/share/sddm/themes/{,**} r, - - /var/lib/flatpak/exports/share/mime/ r, + /usr/share/systemsettings/{,**} r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index e83223f1..dc9c76a2 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -23,9 +23,9 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), @{exec_path} mr, @@ -58,13 +58,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /etc/NetworkManager/dispatcher.d/** rix, /etc/dhcp/dhclient-exit-hooks.d/ntp r, - # chown - / r, - /usr/share/tlp/{,**} rw, - /etc/sysconfig/network/config r, /etc/fstab r, + /etc/ntp.conf r, + /etc/sysconfig/network/config r, + + / r, @{run}/chrony-dhcp/ rw, @{run}/ntp.conf.dhcp rw, @@ -72,7 +72,6 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify rw, @{run}/tlp/{,*} rw, owner @{run}/ntp.conf.dhcp.@{rand6} rw, - owner /etc/ntp.conf r, @{sys}/class/net/ r, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index ea16957a..7ceb6038 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -22,7 +22,7 @@ profile usbguard @{exec_path} { unix (send, receive, connect) type=stream peer=(label="usbguard-daemon",addr=@@{int}), - # dbus: own bus=system name=org.usbguard1 + #aa:dbus own bus=system name=org.usbguard1 @{exec_path} mr,