diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 36e4e29d..b18ce7eb 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -31,7 +31,9 @@ dbus bus=session, dbus bus=system, - /usr/** r, + /usr/cache/** r, + /usr/local/** r, + /usr/share/** rk, /etc/{,**} r, @@ -93,6 +95,7 @@ @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, @{PROC}/driver/** r, + @{PROC}/locks r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, @@ -106,9 +109,13 @@ @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/comm rw, + owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/@{int} rw, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 4d8fc6cd..c5195ec1 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -48,6 +48,9 @@ profile dbus-session flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + owner @{HOME}/.var/app/*/**/.ref rw, + owner @{HOME}/.var/app/*/**/logs/* rw, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c7d131fc..21c2de26 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -25,13 +25,16 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, /dev/dri/card@{int} rw, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 27381245..9d06b459 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -41,6 +41,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network netlink raw, ptrace (read), + ptrace trace peer=flatpak-app, signal (receive) set=(int) peer=flatpak-portal, signal (receive) set=(int) peer=flatpak-session-helper, @@ -54,6 +55,10 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/parent/@{bin}/** rmix, + @{run}/parent/@{lib}/** rmix, + @{run}/parent/app/** rmix, + @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @@ -62,23 +67,23 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{lib}/kf5/kioslave5 rPx, @{lib}/kf6/kioworker rPx, - /var/lib/flatpak/app/{,**} r, - - /usr/.ref rk, - /etc/**/ rw, /etc/shells rw, - /app/.ref k, + /app/.ref rk, /app/extra/** rw, /app/lib/** rk, /bindfile@{rand6} rw, + /usr/.ref rk, /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, /var/tmp/etilqs_@{hex} rw, @{run}/.userns r, + @{run}/parent/** r, + @{run}/parent/app/.ref rk, + @{run}/parent/usr/.ref rk, owner @{run}/flatpak/{,**} rk, owner @{run}/flatpak/app/** rw, owner @{run}/flatpak/doc/** rw,