diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index f20cebeb..418864a6 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -62,7 +62,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/@{pci}/{vendor,model,type} r, - @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 57e6cf47..8c8a1c06 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -53,6 +53,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/**/ r, @{HOME}/**/ r, + owner @{MOUNTS}/autorun.inf r, + owner @{desktop_config_dirs}/dconf/user r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3aece965..d8ebf39b 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -50,6 +50,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, + / r, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 943315a8..7c6f7207 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -25,6 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper + /etc/libvirt/**/ r, /etc/libvirt/libvirt.conf r, # For disk images diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index b9031360..4953ab29 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -46,14 +46,13 @@ profile anyremote @{exec_path} { @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, @{bin}/pgrep rCx -> pgrep, - @{lib}/qt5/bin/qdbus rCx -> qdbus, - @{bin}/pacmd rPx, @{bin}/pactl rPx, - @{bin}/wmctrl rPx, - @{bin}/qtchooser rPx, @{bin}/ps rPx, + @{bin}/qtchooser rPx, + @{bin}/wmctrl rPx, + @{lib}/qt{5,6}/bin/qdbus rPx, # Players @{bin}/smplayer rPx, @@ -128,14 +127,6 @@ profile anyremote @{exec_path} { include if exists } - profile qdbus { - include - - @{lib}/qt5/bin/qdbus mr, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 6774ffa9..4695c2d3 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -23,7 +23,7 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/, mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/, - mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/, + mount fstype={fuse,fuse.*} -> /tmp/.mount_*@{rand6}/, umount @{HOME}/*/, umount @{HOME}/*/*/, @@ -47,6 +47,8 @@ profile fusermount @{exec_path} { owner @{user_cache_dirs}/**/ rw, + /tmp/.mount_*@{rand6}/ r, + @{run}/user/@{uid}/doc/ r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 316f6ebd..a2cfea34 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -113,6 +113,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/bus/usb/ r, /dev/bus/usb/@{int}/@{int} rw, /dev/cpu/@{int}/msr rw, + /dev/dri/card@{int} rw, /dev/drm_dp_aux@{int} rw, /dev/gpiochip@{int} r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index c9db3c08..09b682c6 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -14,7 +14,7 @@ profile mount @{exec_path} flags=(attach_disconnected) { include include include - + capability chown, capability dac_read_search, capability setgid, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 08dcaaea..18c70b24 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -30,7 +30,6 @@ profile run-parts @{exec_path} { /etc/anacrontab r, /etc/conf.d/snapper{,**} r, /etc/snapper/configs/root r, - # Crontab /etc/cron.{hourly,daily,weekly,monthly}/ r, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index d091c4b5..82deb0d6 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -266,7 +266,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace trace peer=steam//web, - signal receive set=kill peer=steam, + signal receive set=(cont kill term) peer=steam, unix receive type=stream, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index a790e6b7..2d72bc83 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -40,6 +40,8 @@ profile strawberry @{exec_path} { @{open_path} rPx -> child-open-help, + /etc/fstab r, + /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -50,6 +52,7 @@ profile strawberry @{exec_path} { owner @{user_config_dirs}/strawberry/ rw, owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, + owner @{user_config_dirs}/strawberryrc r, owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/** rwk, @@ -65,6 +68,8 @@ profile strawberry @{exec_path} { owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, + owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 09728ef4..418accd3 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -19,9 +19,9 @@ profile top @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - signal (send), + signal send, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 6ebcf7f8..6e70a031 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -24,10 +24,7 @@ profile update-ca-trust @{exec_path} { / r, /usr/share/p11-kit/modules/{,*} r, - /etc/ca-certificates/extracted/{tls,email,objsign}-ca-bundle.pem{,.*} w, - /etc/ca-certificates/extracted/ca-bundle.trust.crt{,.*} w, - /etc/ca-certificates/extracted/cadir/{,*} rw, - /etc/ca-certificates/extracted/edk2-cacerts.bin{,.*} w, + /etc/ca-certificates/extracted/** rw, /etc/ssl/certs/{,*} rw, /etc/ssl/certs/java/cacerts{,.*} w, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 146408bc..6b8bca6c 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -61,7 +61,7 @@ profile wireplumber @{exec_path} { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, - @{sys}/devices/**/device:*/**/path r, + @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r,