diff --git a/apparmor.d/apt-systemd-daily b/apparmor.d/apt-systemd-daily index 8e597215..2a5d139a 100644 --- a/apparmor.d/apt-systemd-daily +++ b/apparmor.d/apt-systemd-daily @@ -14,7 +14,7 @@ abi , include @{exec_path} = /{usr/,}lib/apt/apt.systemd.daily -profile apt-systemd-daily @{exec_path} flags=(complain) { +profile apt-systemd-daily @{exec_path} { include # Needed to remove the following error: diff --git a/apparmor.d/bluetoothctl b/apparmor.d/bluetoothctl index f34be1b3..dfdc6e2d 100644 --- a/apparmor.d/bluetoothctl +++ b/apparmor.d/bluetoothctl @@ -1,7 +1,7 @@ # vim:syntax=apparmor # ------------------------------------------------------------------ # -# Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2015-2021 Mikhail Morfikov # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -21,5 +21,9 @@ profile bluetoothctl @{exec_path} { /etc/inputrc r, + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/.bluetoothctl_history rw, + owner @{HOME}/.cache/.bluetoothctl_history-@{pid}.tmp rw, + include if exists } diff --git a/apparmor.d/bluetoothd b/apparmor.d/bluetoothd index 82ca2d6b..437883f2 100644 --- a/apparmor.d/bluetoothd +++ b/apparmor.d/bluetoothd @@ -1,7 +1,7 @@ # vim:syntax=apparmor # ------------------------------------------------------------------ # -# Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2015-2021 Mikhail Morfikov # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -24,6 +24,8 @@ profile bluetoothd @{exec_path} { network bluetooth raw, network bluetooth seqpacket, + network bluetooth stream, + network alg seqpacket, network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/borg b/apparmor.d/borg index 6367b718..2616fb79 100644 --- a/apparmor.d/borg +++ b/apparmor.d/borg @@ -29,6 +29,9 @@ profile borg @{exec_path} { # capability fowner, + network inet dgram, + network inet6 dgram, + @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium index e763a123..13ad3375 100644 --- a/apparmor.d/chromium-chromium +++ b/apparmor.d/chromium-chromium @@ -53,7 +53,7 @@ profile chromium-chromium @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - deny network netlink raw, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/dbus-daemon b/apparmor.d/dbus-daemon index fb51bf7e..aed78eac 100644 --- a/apparmor.d/dbus-daemon +++ b/apparmor.d/dbus-daemon @@ -27,6 +27,9 @@ profile dbus-daemon @{exec_path} { network netlink raw, + network bluetooth stream, + network bluetooth seqpacket, + @{exec_path} mr, /usr/libexec/* rPUx, diff --git a/apparmor.d/font-manager b/apparmor.d/font-manager index e3121d29..83b69b30 100644 --- a/apparmor.d/font-manager +++ b/apparmor.d/font-manager @@ -75,8 +75,8 @@ profile font-manager @{exec_path} { /dev/dri/ r, include - @{run}/user/[0-9]*/dconf/ rw, - @{run}/user/[0-9]*/dconf/user rw, + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, # Silencer owner /var/cache/fontconfig/ w, diff --git a/apparmor.d/fuseiso b/apparmor.d/fuseiso index 1f8b967b..a2dcda79 100644 --- a/apparmor.d/fuseiso +++ b/apparmor.d/fuseiso @@ -27,8 +27,8 @@ profile fuseiso @{exec_path} { owner @{HOME}/*/*/ rw, # Be able to mount ISO images - mount fstype=fuse.fuseiso -> /home/*/*/, - mount fstype=fuse.fuseiso -> /home/*/*/*/, + mount fstype=fuse.fuseiso -> @{HOME}/*/, + mount fstype=fuse.fuseiso -> @{HOME}/*/*/, # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, diff --git a/apparmor.d/fusermount b/apparmor.d/fusermount index 1efe12fa..2516a35a 100644 --- a/apparmor.d/fusermount +++ b/apparmor.d/fusermount @@ -26,6 +26,9 @@ profile fusermount @{exec_path} { # fusermount: mount failed: Permission denied capability dac_read_search, + # For obexfs + network bluetooth stream, + @{exec_path} mr, # Where to mount ISO files @@ -34,9 +37,9 @@ profile fusermount @{exec_path} { owner @{HOME}/.cache/**/ rw, # Be able to mount ISO images - mount fstype={fuse,fuse.*} -> /home/*/*/, - mount fstype={fuse,fuse.*} -> /home/*/*/*/, - mount fstype={fuse,fuse.*} -> /home/*/.cache/**/, + mount fstype={fuse,fuse.*} -> @{HOME}/*/, + mount fstype={fuse,fuse.*} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/, mount fstype={fuse,fuse.*} -> /media/*/, # For MTP mount -> /, @@ -45,9 +48,9 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, # Be able to unmount the ISO images - umount /home/*/*/, - umount /home/*/*/*/, - umount /home/*/.cache/**/, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{HOME}/.cache/**/, umount /media/*/, umount @{run}/user/[0-9]*/**/, diff --git a/apparmor.d/gvfs-udisks2-volume-monitor b/apparmor.d/gvfs-udisks2-volume-monitor index daf6708a..6ef3af94 100644 --- a/apparmor.d/gvfs-udisks2-volume-monitor +++ b/apparmor.d/gvfs-udisks2-volume-monitor @@ -45,6 +45,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { /media/*/*/ r, @{HOME}/*/*/ r, @{HOME}/*/*/**/ r, + @{HOME}/bluetooth/ r, owner @{HOME}/.local/share/mime/treemagic r, /usr/share/mime/treemagic r, diff --git a/apparmor.d/gvfsd b/apparmor.d/gvfsd index 25725a21..854c1d4e 100644 --- a/apparmor.d/gvfsd +++ b/apparmor.d/gvfsd @@ -40,6 +40,7 @@ profile gvfsd @{exec_path} { include include include + include include mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, diff --git a/apparmor.d/hciconfig b/apparmor.d/hciconfig index 709624c1..3badd664 100644 --- a/apparmor.d/hciconfig +++ b/apparmor.d/hciconfig @@ -14,11 +14,10 @@ abi , include @{exec_path} = /{usr/,}bin/hciconfig -profile hciconfig @{exec_path} flags=(complain) { +profile hciconfig @{exec_path} { include capability net_raw, - capability net_admin, network bluetooth raw, diff --git a/apparmor.d/id b/apparmor.d/id index fe06cc28..8a00008f 100644 --- a/apparmor.d/id +++ b/apparmor.d/id @@ -16,6 +16,7 @@ include @{exec_path} = /{usr/,}bin/id profile id @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/pulseaudio b/apparmor.d/pulseaudio index ed35f158..48f4f0ff 100644 --- a/apparmor.d/pulseaudio +++ b/apparmor.d/pulseaudio @@ -29,6 +29,9 @@ profile pulseaudio @{exec_path} { network inet6 stream, network netlink raw, + network bluetooth stream, + network bluetooth seqpacket, + @{exec_path} mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, diff --git a/apparmor.d/smplayer b/apparmor.d/smplayer index 002d2735..266a46c2 100644 --- a/apparmor.d/smplayer +++ b/apparmor.d/smplayer @@ -88,7 +88,7 @@ profile smplayer @{exec_path} { network inet dgram, network inet6 dgram, network inet stream, - deny network inet6 stream, + network inet6 stream, deny network netlink dgram, @{exec_path} mrix, diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index a7e6ef46..1b88eedc 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -30,6 +30,7 @@ profile strawberry @{exec_path} { include include include + include include signal (send) set=(term, kill) peer=strawberry-tagreader, diff --git a/apparmor.d/system-config-printer b/apparmor.d/system-config-printer index 279578ea..9fe2c624 100644 --- a/apparmor.d/system-config-printer +++ b/apparmor.d/system-config-printer @@ -65,8 +65,8 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mountinfo r, include - @{run}/user/[0-9]*/dconf/ rw, - @{run}/user/[0-9]*/dconf/user rw, + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/xdg-mime b/apparmor.d/xdg-mime index 8f2ad274..1d5f9378 100644 --- a/apparmor.d/xdg-mime +++ b/apparmor.d/xdg-mime @@ -60,7 +60,7 @@ profile xdg-mime @{exec_path} { /media/** rw, - profile dbus flags=(complain) { + profile dbus { include include