diff --git a/apparmor.d/groups/desktop/xwayland b/apparmor.d/groups/desktop/xwayland index 3d61315a..8cec4f89 100644 --- a/apparmor.d/groups/desktop/xwayland +++ b/apparmor.d/groups/desktop/xwayland @@ -32,7 +32,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, - owner @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5d4d1394..046e1d24 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -144,18 +144,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/pci[0-9]*/**/drm/ r, - owner @{PROC}/@{pid}/attr/current r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/stat r, - @{PROC}/@{pid}/net/* r, - @{PROC}/sys/kernel/osrelease r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, /dev/input/event[0-9]* rw, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e9d8bbe6..442f19ba 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -11,6 +11,7 @@ profile tracker-extract @{exec_path} { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index c11ddd4f..26f313d6 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -47,8 +47,11 @@ profile pacman @{exec_path} { /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/{,ba}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/chgrp rix, + /{usr/,}bin/chmod rix, /{usr/,}bin/dot rix, /{usr/,}bin/env rix, + /{usr/,}bin/getent rix, /{usr/,}bin/gettext rix, /{usr/,}bin/ghc-pkg-* rix, /{usr/,}bin/grep rix, @@ -63,6 +66,7 @@ profile pacman @{exec_path} { /{usr/,}bin/fc-cache rPx, /{usr/,}bin/gdk-pixbuf-query-loaders rPx, /{usr/,}bin/glib-compile-schemas rPx, + /{usr/,}bin/groupadd rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, /{usr/,}bin/install-info rPx, /{usr/,}bin/journalctl rPx, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 5f850bb7..922eb3de 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -17,11 +17,12 @@ profile systemd-hostnamed @{exec_path} { @{exec_path} mr, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, @{run}/udev/data/+dmi:id r, diff --git a/apparmor.d/profiles-m-r/pipewire-pulse b/apparmor.d/profiles-m-r/pipewire-pulse index e68833db..d0eacad3 100644 --- a/apparmor.d/profiles-m-r/pipewire-pulse +++ b/apparmor.d/profiles-m-r/pipewire-pulse @@ -12,7 +12,8 @@ profile pipewire-pulse @{exec_path} { include include - # Needed for all sound/music apps. + capability sys_ptrace, + ptrace (read), @{exec_path} mr,