diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index fe5f54a7..667ed0c1 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -21,7 +21,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 26046888..2f58d051 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} { include + include include include include @@ -24,6 +25,7 @@ profile ibus-extension-gtk3 @{exec_path} { @{exec_path} mr, + /usr/share/dconf/profile/gdm r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ibus/{,**} r, /usr/share/icons/{,**} r, @@ -34,13 +36,12 @@ profile ibus-extension-gtk3 @{exec_path} { owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, - include + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, /var/lib/gdm/.config/dconf/user r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 3fbb8ab6..7a64e81f 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -15,6 +15,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index c4a98be1..7974cd6f 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -12,6 +12,7 @@ profile evolution-alarm-notify @{exec_path} { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index ccbaead7..9900d989 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -57,6 +57,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{sys}/devices/pci[0-9]*/**/drm/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, /dev/ r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7bc02b27..78352bfb 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -11,6 +11,7 @@ profile gnome-calendar @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index 2f1f75db..b505d16a 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-contacts-search-provider profile gnome-contacts-search-provider @{exec_path} { include + include include signal (send) set=(term) peer=unconfined, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 3e018fee..e8176d6b 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -10,6 +10,7 @@ include profile goa-daemon @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 8c20df1a..d21fea03 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -15,6 +15,7 @@ profile gsd-xsettings @{exec_path} { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 58f22eef..00b7e302 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,6 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { # Full access to user's data / r, + /home/ r, owner @{HOME}/{,**} rw, owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, @@ -46,7 +47,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pids}/net/wireless r, @{run}/mount/utab r, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 6c4e07a8..daff8d92 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -23,6 +23,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { signal (send) set=(term, kill) peer=mount, + ptrace (read), + @{exec_path} mr, /{usr/,}bin/lsof rix, @@ -51,10 +53,12 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/[0-9]* r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/net/* r, @{PROC}/ r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cgroup r, @{PROC}/locks r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index b6be6095..56c574fc 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -13,15 +13,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network netlink raw, - network packet dgram, - capability audit_write, capability dac_override, capability kill, @@ -33,6 +24,15 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { capability sys_chroot, capability sys_module, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + network packet dgram, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 82d39772..085b4af3 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -10,7 +10,19 @@ include profile nm-dhcp-helper @{exec_path} { include + network inet dgram, + network inet6 dgram, + + ptrace (readby) peer=NetworkManager, + + signal (receive) peer=NetworkManager, + signal (send) peer=dhclient, + @{exec_path} mr, + /var/lib/NetworkManager/*lease r, + + @{run}/NetworkManager/private-dhcp rw, + include if exists } diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index dc98b177..d065a097 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -42,14 +42,14 @@ profile tailscaled @{exec_path} { @{PROC}/ r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/net/{,**} r, - @{PROC}/sys/net/{,**} r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/fd/ r, @{PROC}/1/cgroup r, - @{PROC}/1/stat r, @{PROC}/1/environ r, + @{PROC}/1/stat r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/{,**} r, /dev/net/tun rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 9dff0fc6..a4841a29 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -57,6 +57,7 @@ profile pacman @{exec_path} { /{usr/,}bin/gettext rix, /{usr/,}bin/ghc-pkg-* rix, /{usr/,}bin/grep rix, + /{usr/,}bin/iscsi-iname rix, /{usr/,}bin/killall rix, /{usr/,}bin/rm rix, /{usr/,}bin/setcap rix, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 196655f3..055b4f1f 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -17,14 +17,15 @@ profile systemd-binfmt @{exec_path} { @{exec_path} mr, # Config file locations - /etc/binfmt.d/*.conf r, - @{run}/binfmt.d/*.conf r, - /usr/lib/binfmt.d/*.conf r, + /etc/binfmt.d/{,*.conf} r, + @{run}/binfmt.d/{,*.conf} r, + /usr/lib/binfmt.d/{,*.conf} r, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/fs/binfmt_misc/status w, + @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/kernel/osrelease r, include if exists diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 620bd1ee..ef93fd23 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/aa-log profile aa-log @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index e88775bd..fbfe1970 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -31,20 +31,22 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, + /usr/share/fwupd/{,**} r, + /usr/share/mime/mime.cache r, + /etc/pki/fwupd/{,**} r, /etc/pki/fwupd-metadata/{,**} r, /etc/fwupd/{,**} r, - /usr/share/fwupd/{,**} r, + /etc/fwupd/remotes.d/* rw, /var/cache/fwupd/{,**} rw, /var/lib/fwupd/{,**} rw, /var/lib/fwupd/pending.db rwk, /boot/{,**} r, - /boot/EFI/arch/fwupdx[0-9]*.efi rw, - /boot/EFI/arch/fw/fwupd-*.cap{,.*} rw, - - /usr/share/mime/mime.cache r, + /boot/EFI/*/.goutputstream-* rw, + /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, + /boot/EFI/*/fwupdx[0-9]*.efi rw, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index 7335b63b..0241c547 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -13,6 +13,7 @@ profile glxinfo @{exec_path} { include include include + include capability sys_admin, # Needed? diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 60af2f8f..32f04165 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -90,6 +90,7 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, + @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, @{sys}/devices/system/cpu/cpu[0-9]*/online r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, diff --git a/apparmor.d/profiles-s-z/xdg-dbus-proxy b/apparmor.d/profiles-s-z/xdg-dbus-proxy index bd89e3f9..fa116759 100644 --- a/apparmor.d/profiles-s-z/xdg-dbus-proxy +++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/xdg-dbus-proxy -profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) { +profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, @@ -15,8 +15,10 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/.dbus-proxy/{session,a11y}-bus-proxy-[0-9A-Z]* rw, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, diff --git a/apparmor.d/profiles-s-z/xorg b/apparmor.d/profiles-s-z/xorg index 52dba16b..f5c2b8b5 100644 --- a/apparmor.d/profiles-s-z/xorg +++ b/apparmor.d/profiles-s-z/xorg @@ -13,14 +13,13 @@ include @{exec_path} += /{usr/,}lib/xorg/Xorg profile xorg @{exec_path} flags=(attach_disconnected) { include - include - include - include - include include + include include include include + include + include capability setgid, capability setuid, @@ -66,7 +65,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/xorg/Xorg.[0-9].log{,.old} rw, owner @{user_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw, - owner /var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, + /var/lib/gdm/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, owner /var/log/lightdm/x-*.log* rw, owner /var/log/Xorg.[0-9].log{,.old} rw, owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,