diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 8957c4cd..7dcb187f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -14,6 +14,11 @@ member={Get,GetAll} peer=(name=org.freedesktop.hostname1), + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index ab3b2b2f..f9f9870f 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 1096594a..39d5eccc 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 61aeaf88..1579115a 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -18,7 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, - /var/crash/*.crash w, + /var/crash/* w, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index a8df0261..14edf32c 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -54,6 +54,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner /var/lib/polkit{,-1}/.cache/ rw, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 2aeb4ee8..931b4750 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,8 +13,7 @@ profile upower @{exec_path} { include include - # Needed? - audit capability sys_nice, + #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 8d8ae666..489a0426 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -63,8 +63,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, + / r, + @{att}/.flatpak-info r, + owner @{att}/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d4fa3dc1..ff398f25 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a2dd6d90..d8ae32fd 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 167e8757..2fbdfb08 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/dirmngr profile dirmngr @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index a6eadd90..51ec8b13 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnupg/keyboxd profile keyboxd @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 65d644e7..7f558a1c 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -36,7 +36,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { include include - @{run}/udev/control rw, + capability net_admin, + + @{att}/@{run}/udev/control rw, + @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 09d432b2..65feae3f 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system, + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index b25f861b..9bfde3e6 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -10,6 +10,8 @@ include profile systemd-cgls @{exec_path} { include include + include + include capability sys_ptrace, @@ -17,6 +19,8 @@ profile systemd-cgls @{exec_path} { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index a169a59d..878884ad 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/machine-info rw, /etc/os-release r, + @{att}/@{run}/systemd/notify rw, + @{run}/systemd/default-hostname rw, - @{run}/systemd/notify rw, @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/ r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 32f02f0d..058c59db 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/X11/xorg.conf.d/.#*.confd* rw, /etc/X11/xorg.conf.d/*.conf rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 206c0957..012a8978 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -95,6 +95,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 469f72b0..91288866 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -25,6 +25,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf.d/{,**} r, @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4f9f965f..f6867f43 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -41,8 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, + @{att}/@{run}/systemd/notify w, + @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e2b6caaa..dd964f3b 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index ce698dc9..c57327bc 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -30,6 +30,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index c374d468..332c1735 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include + include capability mknod, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index b3034dfe..182d9013 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -29,7 +29,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/journal/socket rw, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 2797ae2b..56c6f5f5 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -30,8 +30,10 @@ profile ip @{exec_path} flags=(attach_disconnected) { umount /sys/, @{exec_path} mrix, + + # To run command with 'ip netns exec' @{shells_path} rUx, - @{bin}/sudo rPx, + @{bin}/sudo rPx, @{att}/ r, @@ -40,6 +42,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { /usr/share/iproute2/{,**} r, + @{run}/netns/ r, @{run}/netns/* rw, owner @{run}/netns/ rwk, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 3f0fe5d9..b390346b 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -35,6 +35,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}-@{int}/address r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f332ef21..a955a9c6 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include + include include signal (receive) set=(int) peer=gpg-agent, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index a8630400..aa1f6b2b 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -42,6 +42,7 @@ profile snap @{exec_path} { @{exec_path} mrix, @{bin}/mount rix, + @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 907def2b..85a408df 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -13,9 +13,8 @@ profile sync @{exec_path} { @{exec_path} mr, - # Common paths where sync is used to flush all write operations on a single file to disk - # TODO: /** rw, ? - /boot/initrd-*-default rw, + # All paths where sync can be used to flush all write operations on a single file to disk + /** rw, include if exists } diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index c1e14d01..4d75a70e 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -17,8 +17,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, - @{run}/uuidd/request w, - @{att}/@{run}/uuidd/request w, + @{run}/uuidd/request rw, + @{att}/@{run}/uuidd/request rw, include if exists }