diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 676988ed..22aa6837 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -5,6 +5,8 @@ # Provide access to audio devices. It should only be used by audio servers that # need direct access to them. + include + /usr/share/alsa/{,**} r, /etc/alsa/conf.d/{,**} r, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 05083b80..d11829d8 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -27,4 +27,9 @@ member=Introspect peer=(name=:*, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member=PauseDeviceComplete + peer=(name=org.freedesktop.login1, label=systemd-logind), + include if exists diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 7a5a2758..27edc85f 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -8,14 +8,11 @@ # userns, - # Only needed when kernel.unprivileged_userns_clone is set to "1" + capability setgid, # If kernel.unprivileged_userns_clone = 1 + capability setuid, # If kernel.unprivileged_userns_clone = 1 capability sys_admin, capability sys_chroot, - capability setuid, - capability setgid, - owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/uid_map w, + capability sys_ptrace, owner @{HOME}/.pki/ rw, owner @{HOME}/.pki/nssdb/ rw, @@ -37,4 +34,9 @@ /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.* rw, + # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index 9a063c1e..916a08c4 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -5,6 +5,6 @@ owner @{user_cache_dirs}/thumbnails/ r, owner @{user_cache_dirs}/thumbnails/{*large,normal}/ r, - owner @{user_cache_dirs}/thumbnails/{*large,normal}/@{hex32}.png r, + owner @{user_cache_dirs}/thumbnails/{*large,normal}/*.png r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index a861814d..ac1c02c5 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -5,8 +5,8 @@ owner @{user_cache_dirs}/thumbnails/ rw, owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw, - owner @{user_cache_dirs}/thumbnails/{large,normal}/@{hex32}.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, - owner @{user_cache_dirs}/thumbnails/{large,normal}/@{hex32}.png.@{rand6} rw, + owner @{user_cache_dirs}/thumbnails/{large,normal}/*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, + owner @{user_cache_dirs}/thumbnails/{large,normal}/*.png.@{rand6} rw, owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 37014b2f..b625da98 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,8 +8,8 @@ include include - owner @{user_config_dirs}/xfce4/help.rc rw, - owner @{user_config_dirs}/xfce4/help.rc.@{int}.tmp rw, + owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, + owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, owner @{HOME}/.local/ rw, owner @{user_cache_dirs}/ rw,