diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 751f1e9f..bc1e3f36 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -21,6 +21,7 @@ profile firefox-pingsender @{exec_path} { network inet stream, network inet6 stream, + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (receive) set=(term, kill) peer=firefox, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 5451b881..45248857 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -17,6 +17,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (receive) set=(term hup kill) peer=@{systemd}, signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 0182f71b..b0aff821 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -24,6 +24,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal (receive) set=(cont, term) peer=@{systemd_user}, + # dbus: own bus=system name=org.freedesktop.GeoClue2 dbus send bus=system path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 5ff1866f..a83bda98 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -24,6 +24,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected) network inet6 stream, network netlink raw, + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (send) set=(term, kill) peer=polkit-agent-helper, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 625690cf..a593a07a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -20,6 +20,8 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mr, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 05543d20..7c076809 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -18,7 +18,7 @@ profile gnome-terminal-server @{exec_path} { include include - signal (receive) set=(cont, term) peer=systemd-user, + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (send) set=(hup) peer=htop, signal (send) set=(term hup kill) peer=unconfined, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 9b1707e9..8829b727 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -17,6 +17,8 @@ profile DiscoverNotifier @{exec_path} { network inet6 dgram, network netlink dgram, + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mr, /etc/flatpak/remotes.d/ r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 5e61da8c..45b5bc91 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -17,6 +17,8 @@ profile baloo @{exec_path} { network netlink raw, + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mr, @{lib}/baloo_file_extractor rix, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index b4e44ca7..97628942 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -15,6 +15,8 @@ profile gmenudbusmenuproxy @{exec_path} { ptrace (read) peer=kded5, + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 6a1cacae..bb95ee55 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -13,6 +13,8 @@ profile kaccess @{exec_path} { include include + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mr, @{bin}/gsettings rPx, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index a5dd2f8d..02ad0eda 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -14,6 +14,8 @@ profile kactivitymanagerd @{exec_path} { include include + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mr, /etc/xdg/menus/{,*/} r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 77abba25..d51b2a59 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -17,6 +17,8 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 32ccbdd0..2db4737d 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -32,6 +32,7 @@ profile kded5 @{exec_path} { ptrace (read), + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (send) set=hup peer=xsettingsd, dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index c829be47..d438600c 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -25,9 +25,10 @@ profile kscreenlocker-greet @{exec_path} { network netlink raw, - signal (send) peer=kcheckpass, - signal (receive) set=(usr1, term) peer=ksmserver, + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (receive) set=(term) peer=kwin_wayland, + signal (receive) set=(usr1, term) peer=ksmserver, + signal (send) peer=kcheckpass, unix (send,receive) type=stream peer=(label="ksmserver",addr=none), diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 42ed8214..3e2e35b8 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -15,6 +15,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (send) set=(usr1,term) peer=kscreenlocker-greet, unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index e9da85d5..fb81ccd5 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -19,6 +19,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { ptrace (read), + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (receive) set=term peer=sddm, signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, signal (send) set=(kill, term) peer=xwayland, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 6690d447..924c0f4b 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -12,6 +12,7 @@ profile kwin_wayland_wrapper @{exec_path} { include include + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (send) set=(term, kill) peer=kwin_wayland, @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f7960c9d..bcb0a156 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -42,6 +42,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { ptrace (read) peer=libreoffice*, ptrace (read) peer=pinentry-qt, + signal (receive) set=(cont, term) peer=@{systemd_user}, signal (send), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 23419960..ecbfcde5 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -40,11 +40,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read), ptrace (trace) peer=@{profile_name}, - signal (send) set=(term) peer=kwin_wayland, + signal (receive) set=(hup) peer=@{systemd}, signal (send) set=(kill, term) peer=startplasma, - signal (send) set=(term) peer=startplasma-wayland, - signal (send) set=(term) peer=sddm-greeter, signal (send) set=(kill, term) peer=xorg, + signal (send) set=(term) peer=kwin_wayland, + signal (send) set=(term) peer=sddm-greeter, + signal (send) set=(term) peer=startplasma-wayland, dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 2c83d520..a78a802b 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,6 +11,7 @@ profile startplasma @{exec_path} { include include + signal (receive) set=(hup) peer=@{systemd}, signal (receive) set=(term) peer=sddm, @{exec_path} mr, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index cc96b067..1de9e6fe 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -13,6 +13,8 @@ profile xembedsniproxy @{exec_path} { include include + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mr, /usr/share/hwdata/*.ids r, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index b4a2273e..980df562 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,6 +12,8 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include + ptrace (read) peer=@{systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index 7e605f48..09e3ea31 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -14,6 +14,8 @@ profile systemd-sulogin-shell @{exec_path} { capability net_admin, capability sys_resource, + signal (receive) set=(hup) peer=@{systemd}, + @{exec_path} mr, @{bin}/sulogin rPx, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 38c7ac0e..49c98849 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -29,6 +29,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=gjs-console, + signal (receive) set=(cont, term) peer=@{systemd_user}, + @{exec_path} mrix, @{bin}/{b,d}ash rix,