diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 6c932fb2..c62c4990 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -45,6 +45,7 @@ profile child-open { /{usr/,}bin/firefox rPx, /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, /{usr/,}lib/chromium/chromium rPx, + /{usr/,}lib/firefox/firefox rPx, /opt/brave.com/brave{,-beta,-dev}/brave{,-beta,-dev} rPx, /opt/google/chrome{,-beta,-unstable}/chrome{,-beta,-unstable} rPx, @@ -58,6 +59,7 @@ profile child-open { /{usr/,}bin/draw.io rPUx, /{usr/,}bin/dropbox rPx, /{usr/,}bin/engrampa rPx, + /{usr/,}bin/eog rPUx, /{usr/,}bin/evince rPx, /{usr/,}bin/filezilla rPx, /{usr/,}bin/flameshot rPx, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 9d3ef99d..c8c0075a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -108,12 +108,12 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nautilus rPx, /{usr/,}bin/snap rPx, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, /{usr/,}lib/gio-launch-desktop rPx -> child-open, - - /{usr/,}bin/nautilus rPx, + /{usr/,}lib/xdg-desktop-portal-validate-icon rPUx, / r, /.flatpak-info r, @@ -127,6 +127,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/applications/{**,} r, + owner /tmp/icon* rw, + owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 25ee9180..b64f205f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -23,7 +23,7 @@ profile gnome-characters @{exec_path} { /{usr/,}bin/gjs-console rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r, + /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/libdrm/*.ids r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index adc62abc..1f20035d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -546,7 +546,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.var/app/**/icons/**.png r, + owner @{HOME}/.var/app/**/ r, + owner @{HOME}/.var/app/**/icons/**.{png,jpg} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 5a513fd7..60557234 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -13,21 +13,31 @@ profile grub-install @{exec_path} flags=(complain) { include include + capability dac_read_search, + capability sys_admin, + @{exec_path} mr, - /{usr/,}bin/kmod rPx, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/efibootmgr rix, + /{usr/,}bin/kmod rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/udevadm rPx, + /usr/share/grub/{,**} r, + /etc/default/grub.d/{,**} r, + /etc/default/grub r, /boot/efi/EFI/BOOT/{,**} rw, + /boot/EFI/*/grubx*.efi rw, /boot/grub/{,**} rw, @{sys}/firmware/efi/efivars/ r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 6a0e6f98..636e739d 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -67,6 +67,7 @@ profile grub-mkconfig @{exec_path} { /etc/default/grub.d/{*,} r, /usr/share/grub/{**,} r, + /usr/share/terminfo/x/xterm-256color , /.zfs/snapshot/*/etc/{machine-id,} r, /.zfs/snapshot/*/{usr/,}lib/os-release r, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index b19271f3..556f52f8 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -11,8 +11,11 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, + umount /var/lib/os-prober/mount/, + @{exec_path} mrix, /{usr/,}{s,}bin/blkid rPx, @@ -42,6 +45,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/os-probes/{,**} rix, /usr/share/os-prober/common.sh r, + /usr/share/terminfo/x/xterm-256color r, /var/lib/os-prober/{,**} rw, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index cba431e4..ad8aa6ab 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -29,13 +29,14 @@ profile wireplumber @{exec_path} { /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw, - owner @{HOME}/.local/state/ w, - owner @{HOME}/.local/state/wireplumber/{,**} rw, + owner @{user_state_dirs}/ w, + owner @{user_state_dirs}/wireplumber/{,**} rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+sound:card[0-9]* r, # For sound @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c14:[0-9]* r, @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c81:[0-9]* r, # For video4linux