diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index c6111f20..a1d6690a 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -9,6 +9,7 @@ /etc/gtk-{3,4}.0/ r, /etc/gtk-{3,4}.0/*.conf r, + /etc/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/ rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 177a69bd..3915d065 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -152,6 +152,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/**/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r, + @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 95eb80b9..497c22fe 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -17,7 +17,7 @@ profile firefox-minidump-analyzer @{exec_path} { @{exec_path} mr, - owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r, + owner @{HOME}/.mozilla/firefox/*.*/extensions/*.xpi r, owner @{HOME}/.xsession-errors w, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index 5ee3c3b3..f9a2d8e2 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -10,8 +10,19 @@ include profile dbus-daemon-launch-helper @{exec_path} { include include + include + + capability setgid, + capability setuid, + capability sys_resource, @{exec_path} mr, + /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, + + /usr/share/dbus-1/{,**} r, + + owner @{PROC}/@{pid}/oom_score_adj rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 43aa3c8a..c21a8314 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -29,27 +29,33 @@ profile pipewire-media-session @{exec_path} { /etc/pipewire/*.conf r, /etc/pipewire/media-session.d/*.conf r, + /var/lib/gdm/.local/state/pipewire/media-session.d/* rw, + owner @{HOME}/.local/state/ rw, owner @{HOME}/.local/state/pipewire/{,**} rw, owner @{user_config_dirs}/pipewire/ rw, owner @{user_config_dirs}/pipewire/** rw, owner @{user_config_dirs}/pulse/ rw, + owner @{run}/user/@{uid}/bus rw, + owner @{run}/user/@{uid}/pipewire-[0-9]* rw, + @{run}/udev/data/+sound:card[0-9]* r, # For sound @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/systemd/users/@{uid} r, + @{sys}/class/sound/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/pci[0-9]*/**/modalias r, + @{sys}/devices/pci[0-9]*/**/sound/**/pcm_class r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, - @{sys}/devices/pci[0-9]*/**/modalias r, - - @{run}/systemd/users/@{uid} r, /dev/video[0-9]* rw, + /dev/snd/ r, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 785c056f..c5787e2c 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -10,10 +10,12 @@ include @{exec_path} = /{usr/,}bin/pulseaudio profile pulseaudio @{exec_path} { include - include include - include + include include + include + include + include include ptrace (trace) peer=@{profile_name}, @@ -29,8 +31,9 @@ profile pulseaudio @{exec_path} { @{exec_path} mrix, - /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, /{usr/,}lib{exec,}/pulse/gsettings-helper mrix, + /{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix, + /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, # PulseAudio files /usr/share/pulseaudio/{,**} r, @@ -40,6 +43,8 @@ profile pulseaudio @{exec_path} { owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_config_dirs}/dconf/user r, + owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, + # Needed when PulseAudio is started via the start-pulseaudio-x11 script owner @{HOME}/.Xauthority r, @@ -80,6 +85,7 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/cmdline r, # DBus dbus (send) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 9d2f4245..5822b9c4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -105,7 +105,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, - owner @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/user@[0-9]*.service/{,**} rw, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 1b28c901..e0b5e858 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -43,6 +43,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/net/*/statistics/collisions r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/tx_{bytes,errors,packets} r, + @{sys}/devices/pci[0-9]*/**/virtio[0-9]*/**/stat r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 09c811c2..4ca8818b 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} { include include include + include include @{exec_path} mr, @@ -20,7 +21,7 @@ profile gnome-tweaks @{exec_path} { /{usr/,}bin/ps rPx, /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{*/,**/}__pycache__/*pyc* w, + /{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-tweaks/{,**} r, @@ -28,7 +29,8 @@ profile gnome-tweaks @{exec_path} { /etc/xdg/autostart/{,**} r, owner @{user_cache_dirs}/thumbnails/{,**} r, - owner @{user_config_dirs}/autostart/{,*.desktop} r, + owner @{user_config_dirs}/autostart/ rw, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @@ -38,5 +40,7 @@ profile gnome-tweaks @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{PROC}/@{pid}/fd/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 8c8affd8..0e0e011c 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -22,6 +22,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, + @{run}/cups/cups.sock rw, + owner @{PROC}/@{pid}/fd/ r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 12019bf1..16a887a8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -22,6 +22,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, + /usr/share/thumbnailers/{,**} r, /usr/share/tracker3/{,**} r, owner @{user_share_dirs}/nautilus/{,**} rwk, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 78909b73..0f1352db 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -29,6 +29,9 @@ profile pacman @{exec_path} { capability sys_chroot, capability sys_resource, + # network unix stream, + # network unix dgram, + network inet stream, network inet6 stream, network inet dgram, @@ -66,6 +69,7 @@ profile pacman @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/setcap rix, + /{usr/,}bin/touch rix, /{usr/,}bin/vercmp rix, /{usr/,}bin/xmlcatalog rix, /{usr/,}lib/ghc-*/bin/ghc-pkg rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index c3d9d5ad..bee1028f 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -18,6 +18,10 @@ profile pacman-hook-depmod @{exec_path} { /{usr/,}bin/bash rix, /{usr/,}bin/depmod rPx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + + /usr/lib/modules/*/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index d149d1ba..9f9f7459 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/pacman-key profile pacman-key @{exec_path} { include + include capability dac_read_search, capability mknod, @@ -32,6 +33,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/x/xterm-256color r, + /etc/pacman.d/gnupg/gpg.conf r, + /dev/tty rw, # Inherit Silencer diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 0ef2b816..4dbb5786 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -76,7 +76,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/userdb/ r, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-c[0-9]*.scope/ rw, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid rw, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 46b5eaa4..51e4b358 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -14,5 +14,7 @@ profile hostnamectl @{exec_path} { /etc/machine-id r, + @{PROC}/sys/kernel/random/boot_id r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 6769f2eb..5fbe2c74 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -29,17 +30,13 @@ profile networkctl @{exec_path} flags=(complain) { /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, - @{sys}/devices/**/net/**/uevent r, + /etc/udev/hwdb.bin r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, @{run}/systemd/netif/links/[0-9]* r, @{run}/systemd/netif/state r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/random/boot_id r, - - /etc/udev/hwdb.bin r, - # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, @@ -48,8 +45,11 @@ profile networkctl @{exec_path} flags=(complain) { /{run,var}/log/journal/[0-9a-f]*/system.journal* r, /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + @{sys}/devices/**/net/**/uevent r, - include if exists + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 6798cded..c095b7e1 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -35,7 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { /etc/systemd/coredump.conf r, /var/lib/systemd/coredump/ r, - owner /var/lib/systemd/coredump/#[0-9]* rw, + owner /var/lib/systemd/coredump/#[0-9]* rwl, owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*, owner @{PROC}/@{pid}/setgroups r, diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator index 9165b1b0..e007b6dc 100644 --- a/apparmor.d/groups/systemd/systemd-environment-d-generator +++ b/apparmor.d/groups/systemd/systemd-environment-d-generator @@ -20,6 +20,7 @@ profile systemd-environment-d-generator @{exec_path} { /{usr/,}bin/mawk rix, /etc/environment r, + /etc/environment.d/{,**} r, owner @{user_config_dirs}/environment.d/{,*.conf} r, diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index ec06fdf8..e68e7c5b 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,17 +14,16 @@ profile systemd-fsck @{exec_path} { include include + capability net_admin, capability sys_resource, - # Needed? - deny capability net_admin, - @{exec_path} mr, /{usr/,}{s,}bin/fsck rPx, /{usr/,}{s,}bin/e2fsck rPx, owner @{run}/systemd/quotacheck w, + owner @{run}/systemd/fsck.progress rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 548c9202..94653689 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -12,14 +12,12 @@ profile systemd-fsckd @{exec_path} { include include + capability net_admin, capability sys_tty_config, - # Needed? - deny capability net_admin, - @{exec_path} mr, - owner @{run}/systemd/fsck.progress w, + @{run}/systemd/fsck.progress rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 804e5e9e..3f72381f 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -45,10 +45,11 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+hid:* r, @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform* r, + @{run}/udev/data/+platform* r, @{run}/udev/data/+scsi:* r, @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, + @{run}/udev/data/+virtio:* r, @{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c23[0-9]:[0-9]* r, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 5aa0e8c9..8aaa47e1 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -19,9 +19,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, - owner @{run}/systemd/notify rw, owner @{run}/systemd/journal/socket w, @{run}/systemd/io.system.ManagedOOM rw, + @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 870083ca..13a5dc58 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -34,9 +34,11 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf.d/{,*} r, owner @{run}/systemd/journal/socket w, - owner @{run}/systemd/notify rw, @{run}/systemd/netif/links/* r, + @{run}/systemd/notify rw, @{run}/systemd/resolve/{,**} rw, + @{PROC}/sys/kernel/hostname r, + include if exists } diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 0346d461..1bf18858 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -18,11 +18,11 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gpg rUx, owner @{HOME}/.password-store/{,**} r, - owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw, - owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r, - owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r, - owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r, - owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r, + owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r, + owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r, + owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw, owner /tmp/mozilla-temp-[0-9]* r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @@ -32,7 +32,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet6, deny network inet, - deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/storage/default/{,**} rw, + deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r, + deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw, deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index f245b0f3..553d236d 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -26,11 +26,11 @@ profile downloadhelper @{exec_path} { /opt/net.downloadhelper.coapp/bin/ r, /opt/net.downloadhelper.coapp/converter/build/** rix, - owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw, - owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r, - owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r, - owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r, - owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r, + owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r, + owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r, + owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw, owner /tmp/vdh-*.tmp rw, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 4a07c3dd..4f216a55 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -15,9 +15,11 @@ profile flatpak-session-helper @{exec_path} { @{exec_path} mr, + /{usr/,}bin/dbus-monitor rPUx, /{usr/,}bin/p11-kit rix, - /{usr/,}lib/p11-kit/p11-kit-server rix, + /{usr/,}bin/pkexec rPx, /{usr/,}lib/p11-kit/p11-kit-remote rix, + /{usr/,}lib/p11-kit/p11-kit-server rix, owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index aaf73fd1..fc56b1c7 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -32,8 +32,8 @@ profile fsck @{exec_path} { owner @{run}/fsck/*.lock rwk, owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - owner @{run}/systemd/fsck.progress w, @{run}/mount/utab r, + @{run}/systemd/fsck.progress w, @{PROC}/@{pids}/mountinfo r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index 54d512f4..06eb5fee 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -75,7 +75,7 @@ profile jdownloader @{exec_path} { # What's this for? deny owner @{HOME}/.mozilla/firefox/ r, - deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r, + deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r, owner @{PROC}/@{pid}/fd/ r, deny @{PROC}/@{pid}/net/ipv6_route r, diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install index e5223d19..79b1478d 100644 --- a/apparmor.d/profiles-g-l/jdownloader-install +++ b/apparmor.d/profiles-g-l/jdownloader-install @@ -85,7 +85,7 @@ profile jdownloader-install @{exec_path} { # What's this for? deny owner @{HOME}/.mozilla/firefox/ r, - deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r, + deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r, # Needed when installing JD / r, diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/profiles-g-l/locale-gen index b0f8c532..bcd0cade 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -9,6 +9,9 @@ include @{exec_path} = /{usr/,}bin/locale-gen profile locale-gen @{exec_path} { include + include + + capability dac_read_search, @{exec_path} mr, @@ -21,7 +24,13 @@ profile locale-gen @{exec_path} { /{usr/,}lib/locale/locale-archive rwl, /{usr/,}lib/locale/locale-archive* rw, + /usr/share/i18n/{,**} r, + /etc/locale.gen r, + # Inherit Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index f98a9672..b754183e 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -46,8 +46,8 @@ profile pkexec @{exec_path} flags=(complain) { /{usr/,}{s,}bin/* rPUx, /{usr/,}bin/* rPUx, /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) - /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + /{usr/,}lib/update-notifier/package-system-locked rPx, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 29edb766..c2cebc60 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/power-profiles-daemon -profile power-profiles-daemon @{exec_path} { +profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include @@ -23,6 +23,7 @@ profile power-profiles-daemon @{exec_path} { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/power_supply/*/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, @{sys}/devices/system/cpu/*_pstate/status r,