diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 65c16331..33c422bb 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -7,7 +7,7 @@ abi , - @{att}/apparmor/.null rw, + deny @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index 6959bc40..bf76e4a4 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -5,8 +5,8 @@ abi , + @{att}/dev/tty@{int} rw, owner @{att}/dev/pts/@{int} rw, - owner @{att}/dev/tty@{int} rw, include if exists diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 45028f48..d847c732 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -47,6 +47,7 @@ owner @{user_config_dirs}/pipewire/client.conf r, owner @{user_share_dirs}/openal/hrtf/{,**} r, + owner @{user_share_dirs}/sounds/ r, owner @{user_share_dirs}/sounds/__custom/index.theme r, owner @{run}/user/@{uid}/pipewire-@{int} rw, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 7bfae1ff..17181525 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -28,6 +28,7 @@ capability sys_chroot, capability sys_ptrace, + @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @{lib}/electron@{int}/electron rix, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index a9a3665d..19ffe647 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -33,6 +33,8 @@ /var/cache/gio-@{version}/gnome-mimeapps.list r, + / r, # deny? + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, # else if @{DE} == kde diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 10cf0c90..bf46eea1 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -90,7 +90,7 @@ @{run}/udev/data/b230:@{int} r, # for /dev/zvol* @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 @{run}/udev/data/b25[0-4]:@{int} r, - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index bd34a6f4..844a4fbe 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -90,7 +90,7 @@ @{run}/udev/data/b230:@{int} r, # for /dev/zvol* @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 @{run}/udev/data/b25[0-4]:@{int} r, - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 101fe1b4..37f6be70 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -9,7 +9,7 @@ include include - /etc/igfx_user_feature{,_next}.txt w, + /etc/igfx_user_feature{,_next,_report}.txt w, /etc/libva.conf r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index b9f1cbad..c7827b59 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -14,6 +14,8 @@ @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/gstreamer-1.0/gst-plugin-scanner rix, + /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r, + /etc/openni2/OpenNI.ini r, /tmp/ r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 490cf48a..282ae197 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -27,7 +27,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index d3fd2668..acdfc0bf 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -34,7 +34,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink dgram, network netlink raw, - signal (receive) set=(hup), + signal receive set=hup, @{bin}/bwrap rPx -> bwrap, @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 5b473840..9c11f0a4 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/google-@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chrome @{exec_path} { +profile chrome @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 04fa2c75..658dee39 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chromium @{exec_path} { +profile chromium @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index 40a775db..dea35ae1 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/chromium -profile chromium-wrapper @{exec_path} { +profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index dd01a36a..98f21f47 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -38,12 +38,15 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-dbus-proxy rix, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, + /usr/share/enchant*/{,**} r, + owner /bindfile@{rand6} rw, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, + owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index ad4fbb1f..97e5645b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -17,6 +17,7 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/browsers/torbrowser index 8d8336d6..5068886c 100644 --- a/apparmor.d/groups/browsers/torbrowser +++ b/apparmor.d/groups/browsers/torbrowser @@ -42,6 +42,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner "@{tmp}/Tor Project*" rwk, owner "@{tmp}/Tor Project*/" rw, owner "@{tmp}/Tor Project*/**" rwk, + owner @{tmp}/@{rand8}.* rw, + owner @{tmp}/mozilla_pc@{int}/ rw, + owner @{tmp}/mozilla_pc@{int}/* rwk, # Due to the nature of the browser, we silence much more than for Firefox. deny capability sys_ptrace, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index ab5eee07..4939edfb 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -18,6 +18,7 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 15b9c2d9..315a5bf0 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -19,6 +19,7 @@ include @{exec_path} = @{bin}/nvidia-modprobe profile child-modprobe-nvidia flags=(attach_disconnected) { include + include include capability chown, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 19aa4079..ebf0ad6a 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/update-desktop-database profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 944bbc20..e9bdfde1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -48,6 +48,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, + owner @{desktop_config_dirs}/dconf/user r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index e9f63dc5..a5e27c7d 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -57,7 +57,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - /dev/fuse rw, + /dev/fuse rw, profile fusermount flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 9ebecf6f..dde1fe8c 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -11,6 +11,7 @@ include profile xkbcomp @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -29,6 +30,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/xorg/Xorg.@{int}.log w, /var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w, + /var/log/Xorg.@{int}.log w, owner /var/log/lightdm/x-@{int}.log w, owner @{run}/user/@{uid}/server-@{int}.xkm rwk, @@ -38,9 +40,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/fb@{int} rw, /dev/tty rw, - - deny /dev/input/event@{int} rw, - deny /var/log/Xorg.@{int}.log w, + /dev/input/event@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index dce42dc8..0f23d583 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -134,6 +134,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /dev/shm/shmfd-* rw, /dev/tty rw, /dev/tty@{int} rw, + /dev/udmabuf rw, /dev/vga_arbiter rw, # Graphic card modules profile pkexec { diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 731d1576..4ca2b21b 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -105,6 +105,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.pam_environment r, + owner @{user_cache_dirs}/ w, + @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 12473b49..5e013012 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { owner @{HOME}/{,**} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 310b7a98..20aa66cf 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -181,7 +181,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile bwrap { + profile bwrap flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 995dbab6..42c1265a 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -48,11 +48,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/tput rix, @{bin}/session-migration rPx, - - @{lib}/gnome-session-check-accelerated rix, - @{lib}/gnome-session-check-accelerated-gl-helper rix, - @{lib}/gnome-session-check-accelerated-gles-helper rix, - @{lib}/gnome-session-failed rix, + @{lib}/gnome-session-check-* rPx, + @{lib}/gnome-session-failed rix, @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index cddcb730..5ebedca6 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -64,8 +64,7 @@ profile gnome-software @{exec_path} { /var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/prepared-update r, - /var/lib/swcatalog/icons/**.png r, - /var/lib/swcatalog/yaml/ r, + /var/lib/swcatalog/** r, /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, @@ -91,6 +90,7 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r, owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r, owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, + owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index d21e2382..d104e75c 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -7,12 +7,10 @@ abi , include @{exec_path} = @{bin}/gnome-tweaks -profile gnome-tweaks @{exec_path} { +profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include include include @@ -21,6 +19,7 @@ profile gnome-tweaks @{exec_path} { @{exec_path} mr, @{bin}/ r, + @{bin}/env r, @{bin}/ps rPx, @{bin}/python3.@{int} rix, @@ -28,8 +27,6 @@ profile gnome-tweaks @{exec_path} { @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, - /usr/share/gnome-tweaks/{,**} r, - /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -44,7 +41,12 @@ profile gnome-tweaks @{exec_path} { @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/bus/ r, + @{sys}/class/input/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 66a27803..c9177de5 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -41,6 +41,7 @@ profile kgx @{exec_path} { @{PROC}/@{pids}/stat r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 4fe3bc06..8a48b97a 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -15,6 +15,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e58f9b98..e10d81bb 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -21,7 +21,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index d9b709f9..aa459250 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -28,11 +28,13 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, - + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, - + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r, + @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index aa67ba5f..5a4f480a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -34,6 +34,8 @@ profile baloo @{exec_path} { owner @{MOUNTS}/{,**} r, owner @{tmp}/*/{,**} r, + owner @{user_cache_dirs}/kcrash-metadata/ w, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc.lock rwkl, @@ -60,6 +62,7 @@ profile baloo @{exec_path} { @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index 1d85b3a6..d9879941 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index d699f9d5..e152325e 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -44,12 +44,15 @@ profile kconf_update @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, + owner @{HOME}/.gtkrc-@{version} w, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**, owner @{user_config_dirs}/sed@{rand6} rw, owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw, + owner @{user_config_dirs}/kcmfonts.lock rwk, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/krunnerstaterc.lock rwk, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c14ba7e9..0ff08d02 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -93,34 +93,16 @@ profile kded @{exec_path} { @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, - owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk, - owner @{user_config_dirs}/gtkrc{,*} rwlk, - owner @{user_config_dirs}/kconf_updaterc rw, - owner @{user_config_dirs}/kconf_updaterc.lock rwk, - owner @{user_config_dirs}/kdebugrc r, - owner @{user_config_dirs}/kded{5,6}rc.lock rwk, - owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl, owner @{user_config_dirs}/kdedefaults/{,**} r, - owner @{user_config_dirs}/khotkeysrc.lock rwk, - owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ksmserverrc r, - owner @{user_config_dirs}/ktimezonedrc.lock rwk, - owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma* r, - owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, @@ -137,6 +119,9 @@ profile kded @{exec_path} { owner @{user_share_dirs}/services5/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, + @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/user/@{uid}/gvfs/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 9922eff9..c02f3f87 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -29,6 +29,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{exec_path} mr, + /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -47,6 +48,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/menus/{,applications.menu} r, /etc/xdg/menus/applications-merged/ r, /etc/xdg/plasmarc r, + /etc/xdg/Xwayland-session.d/{,*} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -127,10 +129,28 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + /dev/tty r, /dev/tty@{int} rw, + profile at-spi { + include + + @{sh_path} r, + @{bin}/busctl rix, + @{bin}/sed rix, + @{bin}/xprop rPx, + + /etc/xdg/Xwayland-session.d/00-at-spi r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index a7bde918..0d8a5d8c 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -76,6 +76,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, + /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /etc/appstream.conf r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 54284f03..f2c133ce 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -14,7 +14,7 @@ profile sddm-greeter @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e7846425..f10e80d7 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -62,6 +62,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index dc6b215f..969a82f6 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -10,6 +10,7 @@ include profile xembedsniproxy @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 12ead7ce..6f4672f9 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -10,6 +10,12 @@ include profile makepkg @{exec_path} { include include + include + include + include + include + include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index e2a0f260..64a813bf 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -32,10 +32,14 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{bin}/tput rix, @{bin}/vim rix, + owner @{HOME}/.viminfo{,.tmp} rw, + + owner @{user_cache_dirs}/vim/{,**} rw, + # packages files / r, /boot/{,**} r, - /etc/{,**} r, + /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, /usr/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 3a4bd0eb..2c32024a 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -15,13 +15,14 @@ profile pacman-hook-systemd @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/touch rix, @{bin}/journalctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/systemd-hwdb rPx, + @{bin}/systemd-notify rPx, @{bin}/systemd-sysusers rPx, @{bin}/systemd-tmpfiles rPx, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index c737d4ca..e101fc06 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -55,6 +55,10 @@ profile yay @{exec_path} { /usr/share/git{,-core}/{,**} r, + owner @{user_build_dirs}/**/.git/** r, + owner @{user_pkg_dirs}/**/.git/** r, + owner @{user_projects_dirs}/**/.git/** r, + owner @{HOME}/.gitconfig r, owner @{user_cache_dirs}/yay/ rw, owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index a50ed62e..4f95bed4 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -61,7 +61,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, @{run}/udev/data/b254:@{int} r, # for /dev/zram* - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 9b6bfdd9..4f9f965f 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only +# SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index cfbd2d7b..2ea35f7b 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -45,15 +45,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { mount options=(rw rslave) -> /, remount /tmp/containerd-mount@{int10}/, - remount /var/lib/docker/tmp/buildkit-mount@{int10}/, + remount /var/lib/docker/**/, umount /.pivot_root@{int}/, umount /run/docker/netns/*, umount /tmp/containerd-mount@{int}/, - umount /var/lib/docker/buildkit/**/, - umount /var/lib/docker/rootfs/**/, - umount /var/lib/docker/overlay*/**/, - umount /var/lib/docker/tmp/buildkit-mount@{int}/, + umount /var/lib/docker/**/, pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/, pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/, diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper index cefc60f6..d8128da7 100644 --- a/apparmor.d/profiles-a-f/cc-remote-login-helper +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 1ea3b8e7..0c5a18e8 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -11,10 +11,8 @@ profile file-roller @{exec_path} { include include include + include include - include - include - include #aa:dbus own bus=session name=org.gnome.ArchiveManager1 #aa:dbus own bus=session name=org.gnome.FileRoller @@ -23,6 +21,9 @@ profile file-roller @{exec_path} { @{open_path} rPx -> child-open-help, + @{bin}/mv rix, + @{bin}/rm rix, + # Archivers @{bin}/7z rix, @{bin}/7zz rix, @@ -38,6 +39,11 @@ profile file-roller @{exec_path} { @{bin}/zstd rix, @{lib}/p7zip/7z rix, + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, + owner @{tmp}/** rw, + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index b38a0353..96d78b80 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -62,6 +62,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{user_documents_dirs}/ rw, + owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 1ec9fe65..4d53fdf5 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -50,6 +50,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { /dev/i2c-@{int} rw, /dev/tty rw, + /dev/pts/@{int} rw, profile bus flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index e61b4404..910e9a2f 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -3,7 +3,7 @@ # Copyright (C) 2011-2014 Jérémy Bobbio ; # Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only +# SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr index 5257195f..09b71b77 100644 --- a/apparmor.d/profiles-g-l/hbbr +++ b/apparmor.d/profiles-g-l/hbbr @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}{,local/}bin/hbbr +@{exec_path} = @{bin}/hbbr profile hbbr @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index fd8aa3e7..4e753272 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}{,local/}bin/hbbs +@{exec_path} = @{bin}/hbbs profile hbbs @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index d358f080..6c6d61c4 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -16,14 +16,17 @@ profile issue-generator @{exec_path} { @{sh_path} r, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mktemp rix, + @{bin}/mv rix, @{bin}/rm rix, @{bin}/sort rix, /etc/issue.d/{,**} r, /etc/sysconfig/issue-generator r, + @{run}/agetty.reload w, @{run}/issue r, @{run}/issue.@{rand10} rw, @{run}/issue.d/{,**} r, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 7733730a..004c29d6 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -34,9 +35,9 @@ profile rustdesk @{exec_path} { @{bin}/curl rix, @{bin}/ls rix, - @{bin}/sudo rCx -> sudo, - @{bin}/python3.@{int} rPx -> rustdesk_python, - @{sh_path} rPx -> rustdesk_shell, + @{bin}/sudo rCx -> sudo, + @{bin}/python3.@{int} rCx -> python, + @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -59,80 +60,72 @@ profile rustdesk @{exec_path} { profile sudo { include - include include + include @{bin}/rustdesk rPx, - @{bin}/python3.@{int} rPx -> rustdesk_python, + @{bin}/python3.@{int} rPx -> rustdesk//python, include if exists } + profile python { + include + include + + capability dac_read_search, + capability dac_override, + + @{bin}/python3.@{int} r, + + @{sh_path} rix, + @{bin}/chmod rix, + @{bin}/uname rPx, + /usr/share/rustdesk/files/pynput_service.py rix, + + /usr/share/[rR]ust[dD]esk/files/{,**} r, + /tmp/[rR]ust[dD]esk/ w, + /tmp/[rR]ust[dD]esk/pynput_service rw, + + @{run}/user/@{uid}/gdm{,3}/Xauthority r, + + owner @{PROC}/@{pid}/fd/ r, + + # X-tiny + /tmp/.X11-unix/* rw, + owner @{HOME}/.xsession-errors w, + owner @{HOME}/.Xauthority r, + + include if exists + } + + profile shell { + include + + capability dac_override, + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{sh_path} r, + + @{bin}/tr rix, + @{bin}/{,e}grep rix, + @{bin}/tail rix, + @{bin}/xargs rix, + @{bin}/sed rix, + @{bin}/cat rix, + + @{bin}/ps rPx, + + @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists + } + include if exists } -profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py { - include - - @{exec_path} r, - - include if exists -} - -profile rustdesk_python { - include - include - - capability dac_read_search, - capability dac_override, - - @{bin}/python3.@{int} r, - - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/uname rPx, - /usr/share/rustdesk/files/pynput_service.py rPx, - - /usr/share/[rR]ust[dD]esk/files/{,**} r, - /tmp/[rR]ust[dD]esk/ w, - /tmp/[rR]ust[dD]esk/pynput_service rw, - - @{run}/user/@{uid}/gdm{,3}/Xauthority r, - - owner @{PROC}/@{pid}/fd/ r, - - # X-tiny - /tmp/.X11-unix/* rw, - owner @{HOME}/.xsession-errors w, - owner @{HOME}/.Xauthority r, - - include if exists -} - -profile rustdesk_shell { - include - - capability sys_ptrace, - capability dac_read_search, - deny capability dac_override, - - ptrace (read), - - @{sh_path} r, - - @{bin}/tr rix, - @{bin}/{,e}grep rix, - @{bin}/tail rix, - @{bin}/xargs rix, - @{bin}/sed rix, - @{bin}/cat rix, - - @{bin}/ps rPx, - - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/environ r, - - include if exists -} - # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils index d52e2b70..fc0c7d9b 100644 --- a/apparmor.d/profiles-m-r/rustdesk-utils +++ b/apparmor.d/profiles-m-r/rustdesk-utils @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}{,local/}bin/rustdesk-utils +@{exec_path} = @{bin}/rustdesk-utils profile rustdesk-utils @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index e9a8f881..04ee747b 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -6,26 +6,25 @@ abi , include -@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid +@{exec_path} = @{bin}/sanoid profile sanoid @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, @{sh_path} rix, @{bin}/perl rix, @{bin}/ps rPx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + @{bin}/zfs rPx, - /etc/sanoid/{*,} r, + /usr/share/sanoid/{,**} r, - /var/cache/sanoid/snapshots.txt rw, + /etc/sanoid/{,*} r, - /usr/share/sanoid/{**,} r, + /var/cache/sanoid/{,**} rw, @{run}/sanoid/ rw, - @{run}/sanoid/sanoid_cacheupdate.lock rwk, - @{run}/sanoid/sanoid_pruning.lock rwk, + @{run}/sanoid/** rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot index 9c5d5b9d..91ca7cd6 100644 --- a/apparmor.d/profiles-s-z/snapshot +++ b/apparmor.d/profiles-s-z/snapshot @@ -8,12 +8,13 @@ abi , include @{exec_path} = @{bin}/snapshot -profile snapshot @{exec_path} { +profile snapshot @{exec_path} flags=(attach_disconnected) { include include include include include + include @{exec_path} mr, @@ -22,6 +23,8 @@ profile snapshot @{exec_path} { owner @{user_pictures_dirs}/Camera/{,**} rw, owner @{user_videos_dirs}/Camera/{,**} rw, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + include if exists } diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 4bc0cb4b..8ccbbf0f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile spotify @{exec_path} { +profile spotify @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal index 0c46e558..b71c97f5 100644 --- a/apparmor.d/profiles-s-z/sslocal +++ b/apparmor.d/profiles-s-z/sslocal @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: @@ -8,7 +9,7 @@ abi , include -@{exec_path} = /{,usr/}{,local/}bin/sslocal +@{exec_path} = @{bin}/sslocal profile sslocal @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager index 7e6fb090..6165d433 100644 --- a/apparmor.d/profiles-s-z/ssmanager +++ b/apparmor.d/profiles-s-z/ssmanager @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: @@ -8,7 +9,7 @@ abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssmanager +@{exec_path} = @{bin}/ssmanager profile ssmanager @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver index c71fc1ea..11ca7243 100644 --- a/apparmor.d/profiles-s-z/ssserver +++ b/apparmor.d/profiles-s-z/ssserver @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: @@ -8,7 +9,7 @@ abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssserver +@{exec_path} = @{bin}/ssserver profile ssserver @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice index 5157bba6..4e464289 100644 --- a/apparmor.d/profiles-s-z/ssservice +++ b/apparmor.d/profiles-s-z/ssservice @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: @@ -8,7 +9,7 @@ abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssservice +@{exec_path} = @{bin}/ssservice profile ssservice @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index a066a9df..9555a982 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: @@ -8,7 +9,7 @@ abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssurl +@{exec_path} = @{bin}/ssurl profile ssurl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index e864663b..252c8986 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -107,6 +107,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @@ -182,6 +183,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -366,6 +368,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability dac_override, capability dac_read_search, unix receive type=stream, diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index bad85a84..dfa8b84d 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -13,7 +13,7 @@ include @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap -profile steam-game-proton @{exec_path} flags=(attach_disconnected) { +profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include include include @@ -34,6 +34,8 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/bwrap mrix, + @{bin}/chmod rix, + @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/ldconfig rix, @@ -44,7 +46,6 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, - @{bin}/chmod rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -52,12 +53,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{app_dirs}/** mr, - @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{app_dirs}/Proton*/files/@{bin}/* rix, - @{app_dirs}/Proton*/files/@{lib}/** rix, - @{app_dirs}/Proton*/proton rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/** mrix, @{run}/host/@{bin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @@ -73,6 +69,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { owner /var/pressure-vessel/** rw, owner /var/cache/ldconfig/aux-cache* rw, + owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, owner @{app_dirs}/Proton*/** rwkl, diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote index b3a36eac..93a93e89 100644 --- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote +++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote @@ -13,7 +13,7 @@ include @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote -profile steam-runtime-steam-remote @{exec_path} flags=(complain) { +profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) { include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 6bff0f1d..fe30e6da 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -16,7 +16,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include capability sys_boot, - + #aa:dbus own bus=system name=org.freedesktop.thermald @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index e5404615..1ee9f094 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -56,6 +56,8 @@ profile thunderbird @{exec_path} { owner @{tmp}/nsma rw, owner @{tmp}/pid-@{pid}/{,**} w, + /dev/urandom w, + # Silencer deny capability sys_ptrace, deny @{lib_dirs}/** w, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index a742a41f..626896a0 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -16,6 +16,7 @@ profile thunderbird-glxtest @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index bcbb3088..a3c3f5a0 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 odomingao +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,6 +16,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,6 +29,9 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open, + owner /tmp/.org.chromium.Chromium.@{rand6} mr, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index be37123f..0a95d183 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -144,9 +144,6 @@ @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} @{pci}=@{pci_bus}/**/ -# hci devices -@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c} - # Udev data dynamic assignment ranges @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 @@ -154,5 +151,6 @@ # Attachment path for attach_disconnected.path flag. # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. @{att}=/ +alias // -> /, # vim:syntax=apparmor