diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 3735ab72..6212485c 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -12,18 +12,11 @@ profile dpkg @{exec_path} { include include - # To set proper ownership/permissions of installed files. capability chown, + capability dac_override, + capability dac_read_search, capability fowner, capability fsetid, - - # These are needed because dpkg wants to read/write files from/to directories owned by different - # users than root, for instance files in the /usr/share/polkit-1/ dir , which is owned by the - # "polkitd" user with the "drwx------" permissions. - capability dac_read_search, - capability dac_override, - - # Needed? (##FIXME##) capability setgid, @{exec_path} mr, @@ -35,6 +28,7 @@ profile dpkg @{exec_path} { @{bin}/dpkg-deb rpx, @{bin}/dpkg-query rpx, @{bin}/dpkg-split rPx, + @{bin}/deb-systemd-helper rix, @{lib}/needrestart/dpkg-status rPx, /usr/share/debian-security-support/check-support-status.hook rPx, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 56ba181b..ae2a0431 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -26,6 +26,8 @@ profile firefox-glxtest @{exec_path} { owner /tmp/firefox/.parentlock rw, + owner /tmp/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_?????? r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 12045871..db02e74c 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -90,6 +90,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, owner /tmp/runtime-*/xauth_?????? r, + owner /tmp/xauth_?????? r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/xauth_?????? r, diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 1bfe02a6..e741b872 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -14,6 +14,8 @@ profile fc-cache @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, /var/cache/fontconfig/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index 8bfbacc0..fec1ca13 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -13,6 +13,8 @@ profile fc-list @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 7b92f184..f838d687 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -72,6 +72,8 @@ profile pipewire-media-session @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/video[0-9]* rw, /dev/snd/ r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index 59b6ed66..ddb4f3b5 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -47,6 +47,7 @@ profile polkit-agent-helper @{exec_path} { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/loginuid r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 13b3bdbe..6dcbcffd 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -165,6 +165,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner /tmp/runtime-*/xauth_?????? r, + owner /tmp/xauth_?????? r, @{run}/mount/utab r, @{run}/user/@{uid}/xauth_* rl, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 30cafbd2..14e9f4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -45,6 +45,8 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc r, + owner /tmp/xauth_?????? r, + @{run}/user/@{uid}/xauth_* rl, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index 23c1dadb..b4358c90 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -20,6 +20,8 @@ profile xprop @{exec_path} { owner @{HOME}/.icons/default/index.theme r, owner /tmp/runtime-*/xauth_?????? r, + owner /tmp/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_* rl, # file_inherit diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index dc330e5b..8757c68e 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -11,6 +11,7 @@ include profile scdaemon @{exec_path} { include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 62ec459c..3f0106b3 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -38,6 +38,8 @@ profile kaccess @{exec_path} { owner @{user_share_dirs}/mime/generic-icons r, + owner /tmp/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_?????? r, @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index 783bd5ac..a25d47dd 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/kauth/{,libexec/}kinfocenter-dmidecode-helper profile kauth-kinfocenter-dmidecode-helper @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 532f4073..377d58a2 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -16,6 +16,7 @@ profile kconf_update @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/grep rix, + @{bin}/python3.[0-9]* rix, @{bin}/qtpaths rix, @{bin}/sed rix, @@ -30,16 +31,38 @@ profile kconf_update @{exec_path} { /usr/share/kconf_update/{,**} r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /etc/machine-id r, /etc/xdg/kdeglobals r, owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/akregatorrc r, + owner @{user_config_dirs}/kateschemarc r, + owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kconf_updaterc r, + owner @{user_config_dirs}/kconf_updaterc.lock rk, owner @{user_config_dirs}/kconf_updaterc* rwl, owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals.lock rk, owner @{user_config_dirs}/kdeglobals* rwl, + owner @{user_config_dirs}/khotkeysrc r, + owner @{user_config_dirs}/kmixrc r, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/kwinrc.?????? rwl -> @{user_config_dirs}/#[0-9]*, + owner @{user_config_dirs}/kwinrc.lock rwk, + owner @{user_config_dirs}/kwinrulesrc rw, + owner @{user_config_dirs}/kwinrulesrc.?????? rwl -> @{user_config_dirs}/#[0-9]*, + owner @{user_config_dirs}/kwinrulesrc.lock rwk, + owner @{user_config_dirs}/kxkbrc rw, + owner @{user_config_dirs}/kxkbrc.?????? rwl -> @{user_config_dirs}/#[0-9]*, + owner @{user_config_dirs}/kxkbrc.lock rwk, + owner @{user_config_dirs}/plasmashellrc r, owner /tmp/#[0-9]* rw, - owner /tmp/kconf_update.?????? rw, + owner /tmp/kconf_update.* rwl, + + @{PROC}/@{sys}/kernel/random/boot_id r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d5e73bbd..1f572576 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/org_kde_powerdevil -profile kde-powerdevil @{exec_path} flags=(attach_disconnected) { +profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include include @@ -32,16 +32,20 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#[0-9]*, owner @{user_config_dirs}/powerdevilrc rwl, + owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc r, + owner @{user_config_dirs}/powermanagementprofilesrc rwl -> @{user_config_dirs}/#[0-9]*, owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, @{run}/systemd/inhibit/*.ref rw, owner @{run}/user/@{uid}kcrash_[0-9]* rw, - @{PROC}/sys/kernel/core_pattern r, @{PROC}/@{pid}/mounts r, - + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index d2773365..83f5b98f 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -20,6 +20,7 @@ profile kded5 @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index db924953..c8e7afb8 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -47,6 +47,7 @@ profile kioslave5 @{exec_path} { /etc/xdg/menus/{,**} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_cache_dirs}/ksycoca5_* r, diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5 index e74af2a8..359db5a1 100644 --- a/apparmor.d/groups/kde/kwalletd5 +++ b/apparmor.d/groups/kde/kwalletd5 @@ -61,6 +61,7 @@ profile kwalletd5 @{exec_path} { owner /tmp/kwalletd5.* rw, owner /tmp/runtime-*/xauth_?????? r, + owner /tmp/xauth_?????? r, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 143a833f..515ede00 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -27,6 +27,8 @@ profile plasma-discover @{exec_path} { network inet6 stream, network netlink raw, + signal (send) set=(term) peer=kioslave5, + @{exec_path} mr, @{bin}/{,ba,da}sh rix, @@ -37,10 +39,13 @@ profile plasma-discover @{exec_path} { /usr/share/kservices5/{,*} r, /usr/share/knsrcfiles/{,*} r, + /usr/share/qt/translations/*.qm r, /etc/appstream.conf r, - /etc/machine-id r, /etc/flatpak/remotes.d/{,**} r, + /etc/machine-id r, + /etc/xdg/ r, + /etc/xdg/accept-languages.codes r, /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, @@ -54,6 +59,8 @@ profile plasma-discover @{exec_path} { owner @{user_cache_dirs}/discover/{,**} rwl, owner @{user_cache_dirs}/appstream/*.xb r, owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/kio_http/ w, owner @{user_config_dirs}/ r, owner @{user_config_dirs}/#[0-9]* rwl, @@ -61,6 +68,7 @@ profile plasma-discover @{exec_path} { owner @{user_config_dirs}/discoverrc.lock rwk, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, @@ -68,10 +76,14 @@ profile plasma-discover @{exec_path} { owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_share_dirs}/knewstuff3/ r, - owner @{user_share_dirs}/flatpak/repo/{,**} rw, + owner @{user_share_dirs}/knewstuff3/ r, + owner @{user_share_dirs}/knewstuff3/ w, + owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/discover??????.* rwl -> @{run}/user/@{uid}/#[0-9]*, + + @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index de46ca6c..3a392061 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -110,8 +110,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/eventviewsrc r, owner @{user_config_dirs}/kactivitymanagerd-statsrc r, - owner @{user_config_dirs}/kde.org/{,**} rwlk, - owner @{user_config_dirs}/KDE/{,**} r, + owner @{user_config_dirs}/{KDE,kde.org}/ rw, + owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#[0-9]*, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 1558a32f..f366aed1 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -65,7 +65,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/gnome-keyring-daemon rPx, @{bin}/kwalletd5 rPx, - @{bin}/startplasma-wayland rPUx, + @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/systemctl rPx -> child-systemctl, @{bin}/xrdb rPx, @@ -125,12 +125,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner /tmp/*/{,s} rw, owner /tmp/#[0-9]* rw, owner /tmp/sddm-auth* rw, - owner /tmp/xauth_?????? rw, + owner /tmp/xauth_?????? rwl -> /tmp/#[0-9]*, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, - @{run}/sddm/xauth_?????? rwl, + @{run}/sddm/xauth_?????? rwl -> @{run}/sddm/#[0-9]*, @{run}/systemd/sessions/*.ref rw, @{run}/user/@{uid}/xauth_?????? rwl, owner @{run}/sddm/ rw, diff --git a/apparmor.d/groups/kde/startplasma-x11 b/apparmor.d/groups/kde/startplasma similarity index 92% rename from apparmor.d/groups/kde/startplasma-x11 rename to apparmor.d/groups/kde/startplasma index 18b5fc3d..b8d51c5d 100644 --- a/apparmor.d/groups/kde/startplasma-x11 +++ b/apparmor.d/groups/kde/startplasma @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{bin}/startplasma-x11 -profile startplasma-x11 @{exec_path} { +@{exec_path} = @{bin}/startplasma-{wayland,x11} +profile startplasma @{exec_path} { include include include @@ -61,6 +61,7 @@ profile startplasma-x11 @{exec_path} { owner @{user_share_dirs}/kservices5/{,**} r, owner @{user_share_dirs}/sddm/xorg-session.log rw, + owner @{user_share_dirs}/sddm/wayland-session.log rw, owner /tmp/#[0-9][0-9] rw, owner /tmp/startplasma-x11.?????? rwl, @@ -72,5 +73,5 @@ profile startplasma-x11 @{exec_path} { /dev/tty r, - include if exists + include if exists } diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 94fe0814..ac67c5fd 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -18,6 +18,8 @@ profile xembedsniproxy @{exec_path} { /usr/share/hwdata/*.ids r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + owner /tmp/xauth_?????? r, + @{run}/user/@{uid}/xauth_* rl, include if exists diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index c02941c7..2e7488a2 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -16,6 +16,8 @@ profile xsettingsd @{exec_path} { owner @{user_config_dirs}/xsettingsd/{,**} rw, + owner /tmp/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_* rl, include if exists diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 68cfd103..26bc8488 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -11,7 +11,7 @@ profile tailscale @{exec_path} { include include - ptrace (read), + capability sys_ptrace, network inet dgram, network inet6 dgram, @@ -19,15 +19,20 @@ profile tailscale @{exec_path} { network inet6 stream, network netlink raw, + ptrace (read), + @{exec_path} mr, @{bin}/ip rPx, + owner @{run}/tailscale/tailscaled.sock rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/sys/net/core/somaxconn r, + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pids}/environ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index eaf06cb9..60bc001e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/tailscaled profile tailscaled @{exec_path} flags=(attach_disconnected) { include + include include include @@ -17,6 +18,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability sys_ptrace, + capability syslog, network inet dgram, network inet6 dgram, @@ -28,6 +30,21 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member={FlushCaches,SetLink*} + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + @{exec_path} mr, @{bin}/ip rix, @@ -42,10 +59,14 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.*.tmp rw, - owner @{run}/tailscale/{,**} rw, owner /var/cache/{,**} rw, owner /var/lib/tailscale/{,**} rw, + owner @{user_share_dirs}/tailscale/{,**} rw, + + owner @{run}/systemd/notify w, + owner @{run}/tailscale/{,**} rw, + @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @@ -81,6 +102,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, + include if exists } include if exists diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 7a5342b4..a6f7a35c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -109,8 +109,8 @@ profile pacman @{exec_path} { @{lib}/ghc-*/bin/ghc-pkg rix, @{lib}/systemd/systemd-* rPx, @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.sh rPx, + /usr/share/code-features/patch.py rPx, + /usr/share/code-marketplace/patch.py rPx, /usr/share/libalpm/scripts/* rPUx, /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index e9872617..360f24d3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,23 +6,21 @@ abi , include -@{exec_path} = /usr/share/code-features/patch.sh +@{exec_path} = /usr/share/code-{features,marketplace}/patch.py profile pacman-hook-code @{exec_path} { include + include capability dac_read_search, @{exec_path} mr, - @{bin}/{,ba}sh rix, - @{bin}/env rix, - @{bin}/grep rix, - @{bin}/sed rix, + @{bin}/python3.[0-9]* rix, @{lib}/code/product.json rw, - @{lib}/code/sed?????? rw, - /dev/tty rw, + /usr/share/code-{features,marketplace}/* r, + /usr/share/code-{features,marketplace}/cache.json rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 380cc8e6..410de90d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -14,7 +14,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability mknod, - # unix (receive) type=stream, + unix (receive) type=stream, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 7d7953f8..7cd0f96c 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,6 +16,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/* r, + # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 4c09badd..ddd78fdb 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -68,6 +68,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/uevent_seqnum r, @{sys}/devices/**/read_ahead_kb r, + @{sys}/fs/cgroup/system.slice/systemd-homed.service/memory.pressure rw, + @{PROC}/devices r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 3a2dfd07..56fc2be7 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -11,9 +11,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + @{exec_path} mr, - @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* w, + @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* wl -> @{lib}/udev/#[0-9]*, @{lib}/udev/hwdb.bin w, /etc/udev/.#hwdb.bind* rw, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 9753d518..cd6afae5 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -30,7 +30,7 @@ profile systemd-journald @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex}/{,*} rw, + /{run,var}/log/journal/@{hex}/{,*} rwl -> /{run,var}/log/journal/@{hex}/**, owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 6b0b880a..f92150db 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -33,7 +33,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, - /usr/share/X11/xkb/rules/evdev r, + /usr/share/X11/xkb/{,**} r, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 2fddac34..d303709d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -128,6 +128,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/fs/cgroup/memory.max r, @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/fs/cgroup/system.slice/systemd-logind.service/memory.pressure rw, @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 7b62e994..4572a2d3 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -71,5 +71,7 @@ profile systemd-machined @{exec_path} { @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/notify w, + @{sys}/fs/cgroup/system.slice/systemd-machined.service/memory.pressure rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 2e8672da..b5436e56 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -35,7 +35,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { peer=(name=org.freedesktop.DBus), dbus receive bus=system path=/org/freedesktop/resolve[0-9] - interface=org.freedesktop.resolve[0-9].Manager, + interface=org.freedesktop.{resolve[0-9].Manager,DBus.Peer,DBus.Properties}, dbus receive bus=system path=/org/freedesktop/login[0-9]* interface=org.freedesktop.login[0-9]*.Manager @@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { @{run}/systemd/resolve/{,**} rw, owner @{run}/systemd/journal/socket w, + owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw, + @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 4ad1b165..8aa2e0a5 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -12,6 +12,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { include include + capability mknod, capability net_admin, capability sys_admin, capability sys_ptrace, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index eb4d7264..cb1adebe 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -37,6 +37,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, + @{sys}/fs/cgroup/system.slice/systemd-timesyncd.service/memory.pressure rw, + owner @{run}/systemd/journal/socket w, owner @{run}/systemd/timesync/synchronized rw, @{run}/resolvconf/*.conf r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b7a6eafa..94440c8e 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -12,7 +12,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { include include -# capability net_admin, + audit capability net_admin, signal (receive) set=(term cont) peer=logrotate, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index d2ff098f..a4d04389 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -25,6 +25,7 @@ profile btrfs @{exec_path} { / r, /boot/ r, + /.snapshots/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -41,6 +42,8 @@ profile btrfs @{exec_path} { @{run}/blkid/blkid.tab{,-*} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + @{sys}/fs/btrfs/@{uuid}/devinfo/[0-9]*/fsid r, + @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index cb5542cb..5bf5c861 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -83,6 +83,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + owner /dev/tty rw, + profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index e72e96fa..66c8fd0b 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -122,11 +122,13 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner /tmp/packagekit* rw, - @{run}/zypp.pid rwk, # only: opensuse @{run}/systemd/inhibit/*.ref rw, + @{run}/zypp.pid rwk, # only: opensuse owner @{run}/systemd/users/@{uid} r, + owner @{run}/zypp-rpm.pid rwk, # only: opensuse owner /dev/shm/AP_0x??????/{,**} rw, + owner /dev/shm/ r, @{sys}/**/ r, @{sys}/devices/**/modalias r, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index e8f690d0..cb573496 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -15,6 +15,8 @@ profile qemu-ga @{exec_path} { capability net_admin, capability sys_ptrace, + network inet stream, + network inet6 stream, network netlink raw, ptrace peer=unconfined, @@ -30,6 +32,8 @@ profile qemu-ga @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, + owner @{PROC}/@{pid}/net/dev r, + /dev/vport[0-9]*p[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 9af428ce..cb695796 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -12,6 +12,7 @@ profile spice-vdagent @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 8c6e88e1..0a6c7f36 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -12,8 +12,11 @@ profile start-pulseaudio-x11 @{exec_path} { @{exec_path} mr, - @{bin}/{,ba,da}sh rix, - @{bin}/pactl rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/head rix, + @{bin}/pactl rPx, + @{bin}/plasmashell rPx, + @{bin}/sed rix, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 9fcdb05c..74b1b52a 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -11,6 +11,7 @@ include @{exec_path} = @{bin}/sysctl profile sysctl @{exec_path} { include + include capability net_admin, capability sys_admin, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 96066afc..ab7da3cf 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -95,6 +95,11 @@ profile thunderbird @{exec_path} { @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + # GPG integration + @{bin}/gpg{,2} rPx, + @{bin}/gpgconf rPx, + @{bin}/gpgsm rPx, + # Desktop integration @{bin}/exo-open rPx -> child-open, @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/profiles-s-z/wget b/apparmor.d/profiles-s-z/wget index e213c6c3..808e7c40 100644 --- a/apparmor.d/profiles-s-z/wget +++ b/apparmor.d/profiles-s-z/wget @@ -11,10 +11,10 @@ profile wget @{exec_path} { include include include - include include include include + include # For downloading files as root to user owned dirs capability dac_read_search, @@ -28,12 +28,13 @@ profile wget @{exec_path} { @{exec_path} mr, + /usr/share/publicsuffix/public_suffix_list.* r, + /etc/wgetrc r, + owner @{HOME}/.rnd r, owner @{HOME}/.wget-hsts rwk, - /usr/share/publicsuffix/public_suffix_list.* r, - # For apt owner /var/cache/google-android-build-tools-*-installer/build-tools_*-linux.zip w, owner /var/cache/google-android-platform-*-installer/platform-*.zip w, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 73038486..a3791831 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -32,6 +32,9 @@ profile xauth @{exec_path} { owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, owner /tmp/runtime-*/xauth_?????? r, + owner /tmp/xauth_?????? r, + owner /tmp/xauth_??????-c w, + owner /tmp/xauth_??????-l wl, owner @{run}/user/@{uid}/xauth_?????? rw, owner @{run}/user/@{uid}/xauth_??????-c w,