From 4c5a21145a5f7f4567de25db34111ed013337f51 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sun, 11 Feb 2024 15:37:24 +0100 Subject: [PATCH] General update Signed-off-by: Jeroen Rijken --- apparmor.d/abstractions/app-open | 1 + .../bus/org.freedesktop.NetworkManager | 17 ++++- .../abstractions/bus/org.freedesktop.UPower | 7 +- apparmor.d/groups/apt/apt-overlay | 2 + apparmor.d/groups/cron/cron-ntp | 21 ++++++ apparmor.d/groups/freedesktop/plymouth | 1 + .../groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/kde/kauth-backlighthelper | 6 +- apparmor.d/groups/kde/kcminit | 3 + apparmor.d/groups/kde/kded5 | 32 ++++++++- apparmor.d/groups/kde/konsole | 67 +++++++++++++++++++ apparmor.d/groups/kde/kscreenlocker-greet | 1 + apparmor.d/groups/kde/ksmserver | 4 ++ apparmor.d/groups/kde/kstart | 14 +++- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/sddm-xsession | 5 ++ apparmor.d/groups/network/nm-online | 7 +- apparmor.d/groups/network/rpcbind | 16 +++++ apparmor.d/groups/systemd/systemd-logind | 9 ++- apparmor.d/profiles-a-f/flatpak | 3 + apparmor.d/profiles-a-f/flatpak-app | 4 ++ apparmor.d/profiles-a-f/fwupdmgr | 2 + apparmor.d/profiles-g-l/im-launch | 4 ++ apparmor.d/profiles-g-l/ip | 4 +- apparmor.d/profiles-s-z/thunderbird | 7 +- apparmor.d/tunables/multiarch.d/system | 3 + 26 files changed, 227 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/groups/cron/cron-ntp create mode 100644 apparmor.d/groups/kde/konsole create mode 100644 apparmor.d/groups/network/rpcbind diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 16fcffcf..20884670 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -16,6 +16,7 @@ # Files explorer @{bin}/nautilus rPx, + @{bin}/dolphin rPx, # Browsers @{bin}/chromium rPx, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index d8c8279d..69b0c389 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -14,7 +14,12 @@ dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=GetPermissions + member={GetDevices,GetPermissions} + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings + interface=org.freedesktop.NetworkManager.Settings + member=ListConnections peer=(name=:*, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} @@ -22,6 +27,16 @@ member=GetSettings peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index a0a1ddfa..ac83968e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -15,10 +15,11 @@ dbus send bus=system path=/org/freedesktop/UPower/devices/DisplayDevice interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=org.freedesktop.UPower, label=upowerd), - dbus send bus=system path=/org/freedesktop/UPower/devices/DisplayDevice + peer=(name=:*, label=upowerd), + + dbus receive bus=system path=/org/freedesktop/UPower/devices/{mouse_hidpp_battery_0,battery_BAT0} interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + member=PropertiesChanged peer=(name=:*, label=upowerd), include if exists diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 2f7a6226..55c85e77 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -14,10 +14,12 @@ profile apt-overlay @{exec_path} { @{exec_path} mr, + @{bin}/apt rPx, @{bin}/apt-get rPx, @{bin}/ruby* mrix, @{bin}/apt-overlay r, + owner @{bin}/env r, @{lib}/ruby/{,**} r, @{lib}/locale/locale-archive r, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp new file mode 100644 index 00000000..d222c51a --- /dev/null +++ b/apparmor.d/groups/cron/cron-ntp @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/ntp +profile cron-ntp @{exec_path} { + include + + @{exec_path} r, + + @{shells_path} rix, + @{bin}/cat rix, + @{bin}/grep rix, + @{bin}/sed rix, + + include if exists +} diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth index d430b6fa..d844eede 100644 --- a/apparmor.d/groups/freedesktop/plymouth +++ b/apparmor.d/groups/freedesktop/plymouth @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plymouth profile plymouth @{exec_path} { include + include include unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"), diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ddd6fab0..b6303dbc 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index a79944a2..1f8beefc 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/kauth/{,libexec/}backlighthelper profile kauth-backlighthelper @{exec_path} { include + include + include include include @@ -26,8 +28,10 @@ profile kauth-backlighthelper @{exec_path} { @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw, + @{sys}/devices/@{pci}/intel_backlight/type r, /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 39f39279..ed8a558f 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -30,6 +30,7 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/kdedefaults/kcminputrc r, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, + owner @{user_config_dirs}/touchpadxlibinputrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, @@ -39,6 +40,8 @@ profile kcminit @{exec_path} { owner /tmp/.touchpaddefaults wl, owner /tmp/.touchpaddefaults.lock rwk, + @{run}/user/@{uid}/xauth_@{rand6} rl, + @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 210f6b12..da806aa0 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -14,6 +14,9 @@ profile kded5 @{exec_path} { include include include + include + include + include include include include @@ -29,16 +32,42 @@ profile kded5 @{exec_path} { signal (send) set=hup peer=xsettingsd, + dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent + interface=org.freedesktop.NetworkManager.SecretAgent + member=CancelGetSecrets + peer=(label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent + interface=org.freedesktop.NetworkManager.SecretAgent + member=CancelGetSecrets + peer=(label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} + interface=org.freedesktop.DBus.Properties + member={PropertiesChanged,AccessPointAdded,AccessPointRemoved} + peer=(label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager + interface=org.freedesktop.NetworkManager.AgentManager + peer=(label=NetworkManager), + @{exec_path} mrix, @{bin}/kcminit rPx, @{bin}/pgrep rCx -> pgrep, + @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, @{bin}/xrdb rPx, @{bin}/xsettingsd rPx, @{lib}/drkonqi rPx, @{lib}/kf5/kconf_update rPx, - @{lib}/utempter/utempter rPx, + @{lib}/{,@{multiarch}/}libexec/kf5/kconf_update rPx, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, /usr/share/kconf_update/ r, /usr/share/kded5/{,**} r, @@ -113,6 +142,7 @@ profile kded5 @{exec_path} { owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw, + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fd/info/@{int} r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole new file mode 100644 index 00000000..4aed4ffb --- /dev/null +++ b/apparmor.d/groups/kde/konsole @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/konsole +profile konsole @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + + ptrace (read), + + signal (send) set=(hup), + + @{exec_path} mr, + @{bin}/@{shells} rUx, + @{lib}/@{multiarch}/utempter/utempter rPUx, + + /usr/share/color-schemes/{,**} r, + /usr/share/konsole/{,**} r, + + /etc/xdg/konsolerc r, + /etc/xdg/ui/ui_standards.rc r, + + owner @{HOME}/@{XDG_SSH_DIR}/config r, + + owner @{user_config_dirs}/#@{int} rwl, + owner @{user_config_dirs}/konsolerc{,**} rw, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + owner @{user_config_dirs}/konsolerc.lock rwlk, + owner @{user_config_dirs}/konsolesshconfig rw, + owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl, + owner @{user_config_dirs}/konsolesshconfig.lock rwk, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/mesa_shader_cache/index rw, + + owner @{user_share_dirs}/konsole/{,**} rw, + + # Required including abstractions/audio for sending notifications + /usr/share/knotifications5/plasma_workspace.notifyrc r, + /usr/share/sounds/** r, + + owner /tmp/#@{int} rw, + owner /tmp/konsole.@{rand6} rw, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/dev/i915/perf_stream_paranoid r, + @{PROC}/sys/kernel/core_pattern r, + + include if exists +} diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index 196424e4..54ad413b 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -11,6 +11,7 @@ include @{exec_path} += @{lib}/@{multiarch}/libexec/kscreenlocker_greet profile kscreenlocker-greet @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 3d69e69b..395839be 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -20,10 +20,14 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/rm rix, + @{lib}/@{multiarch}/libexec/DiscoverNotifier rPx, @{lib}/@{multiarch}/libexec/kscreenlocker_greet rPx, @{lib}/DiscoverNotifier rPUx, # TODO: rPx, @{lib}/drkonqi rPx, @{lib}/kscreenlocker_greet rPx, + @{lib}/thunderbird/thunderbird.sh rPx, + + @{user_bin_dirs}/** rPUx, /usr/share/color-schemes/{,**} r, /usr/share/knotifications5/*.notifyrc r, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 789820b0..831c7067 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -8,17 +8,27 @@ abi , include @{exec_path} = @{bin}/kstart -profile kstart @{exec_path} flags=(complain,attach_disconnected) { +profile kstart @{exec_path} flags=(attach_disconnected) { include + include + include include include + include include @{exec_path} mr, @{bin}/** rPUx, + @{bin}/konsole rPx, - @{bin}/konsole rPUx, + /var/lib/flatpak/exports/share/mime/ r, + + owner @{user_cache_dirs}/mesa_shader_cache/index rw, + owner @{user_share_dirs}/kservices5/ r, + owner @{user_share_dirs}/kservices5/ServiceMenus/ r, + + @{PROC}/sys/dev/i915/perf_stream_paranoid r, include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 15f2a485..fc25e2b5 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -50,6 +50,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, + @{lib}/@{multiarch}/libexec/kf5/kioslave5 rPx, /usr/share/akonadi/firstrun/{,*} r, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index c71f1940..bff35d60 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -27,6 +27,11 @@ profile sddm-xsession @{exec_path} { @{bin}/date rix, @{bin}/fish rix, @{bin}/id rix, + @{bin}/gpgconf rCx -> gpg, + @{bin}/stat rix, + @{bin}/tail rix, + @{bin}/mv rix, + @{bin}/locale-check rPx, @{bin}/mktemp rix, @{bin}/rm rix, @{bin}/tcsh rix, diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index b66cff36..90f2df4c 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,8 +16,13 @@ profile nm-online @{exec_path} { interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=:*, label=NetworkManager), @{exec_path} mr, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind new file mode 100644 index 00000000..a8737701 --- /dev/null +++ b/apparmor.d/groups/network/rpcbind @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/rpcbind +profile rpcbind @{exec_path} flags=(complain) { + include + + @{exec_path} rm, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7879d2a1..4b4bf896 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -31,6 +31,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" + dbus receive bus=system path=/org/freedesktop/login@{int}{,/seat/auto,session/_@{int}} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=ksmserver-logout-greeter), + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1), diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 42b5fce5..853f665f 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -10,6 +10,8 @@ include profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include include + include + include include include include @@ -79,6 +81,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**, owner @{run}/user/@{uid}/app/ w, owner @{run}/user/@{uid}/app/*/ w, + owner @{run}/user/@{uid}/systemd/private rw, @{sys}/module/nvidia/version r, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 71e93316..fee270b4 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -23,10 +23,14 @@ include profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include include + include + include capability dac_override, capability dac_read_search, capability net_admin, + # When bwrap is setup with setuid privileges, it needs the setuid capability. + capability setuid, capability setpcap, capability sys_admin, capability sys_ptrace, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index b6365488..ae399b52 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -57,6 +57,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + /var/lib/flatpak/exports/share/mime/mime.cache r, owner @{user_cache_dirs}/ rw, @{user_cache_dirs}/dconf/user rw, @@ -67,6 +68,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { owner @{PROC}/@{pid}/fd/ r, + /dev/i2c-@{int} rw, /dev/tty rw, profile dbus { diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 8d28ab4b..faf618d3 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -20,10 +20,14 @@ profile im-launch @{exec_path} { @{bin}/gsettings rPx, @{bin}/locale rix, @{bin}/sed rix, + @{bin}/sleep rix, + @{bin}/startplasma-x11 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, + @{bin}/uim-xim rPUx, @{lib}/gnome-session-binary rPx, + @{HOME}/.xsession-errors rw, /usr/share/im-config/{,**} r, /etc/default/im-config r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index fa1b6221..75825661 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -11,6 +11,7 @@ include profile ip @{exec_path} flags=(attach_disconnected) { include include + include capability bpf, capability net_admin, @@ -19,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount options=(rw, rshared) -> /{var/,}run/netns/, + mount options=(rw, bind, rshared) -> /{var/,}run/netns/, mount options=(rw, rslave) -> /, mount options=(rw, bind) / -> /{var/,}run/netns/*, mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf, @@ -36,6 +37,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { /etc/iproute2/{,**} r, /etc/netns/*/ r, + owner @{run}/netns/ rwk, @{run}/netns/* rw, owner @{run}/netns/ rw, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 67e9013c..700904c9 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -80,12 +80,13 @@ profile thunderbird @{exec_path} { # Allowed apps to open @{bin}/engrampa rPx, - @{bin}/firefox{,.sh,-esr,-bin} rPx, @{bin}/geany rPx, @{bin}/qpdfview rPx, @{bin}/viewnior rPUx, - @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, - /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, + @{brave_path} rPx, + @{chrome_path} rPx, + @{firefox_path} rPx, + @{opera_path} rPx, /usr/share/@{name}/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,*} r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 6c9bf2dd..97ef7157 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -38,6 +38,9 @@ @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} @{pci}=@{pci_bus}/**/ +# hci devices +@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c} + # Date and time @{date}=[0-2][0-9][0-9][0-9]-[01][0-9]-[0-3][0-9] @{time}={[0-2],}[0-9]-[0-5][0-9]-[0-6][0-9]