diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 4d7f9619..df06bc93 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -58,7 +58,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-wayland-[0-9] r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/home{,-*.log} r, owner @{user_share_dirs}/icc/{,edid-*} r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index c12b745d..b6170ff7 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -22,7 +22,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/ r, + owner @{user_cache_dirs}/thumbnails/{,**} rw, include owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 0afc9e2f..393916fe 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -48,6 +48,7 @@ profile pacman @{exec_path} { /{usr/,}bin/dot rix, /{usr/,}bin/env rix, /{usr/,}bin/rm rix, + /{usr/,}bin/setcap rix, /{usr/,}bin/vercmp rix, /{usr/,}bin/xmlcatalog rix, /{usr/,}lib/ghc-*/bin/ghc-pkg rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index b3dcb70a..c3d9d5ad 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -10,11 +10,16 @@ include profile pacman-hook-depmod @{exec_path} { include + capability dac_read_search, + @{exec_path} mr, - /{usr/,}bin/bash rix, - /{usr/,}bin/kmod rPx, - /{usr/,}bin/depmod rPx, + /{usr/,}bin/basename rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/depmod rPx, + /{usr/,}bin/kmod rPx, + + /dev/tty rw, # Inherit Silencer deny network inet6 stream, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index dcd663fb..3b6d5fb4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -10,13 +10,18 @@ include profile pacman-hook-mkinitcpio-remove @{exec_path} { include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/bash rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/cmp rix, /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, /usr/share/mkinitcpio/*.preset r, + /etc/mkinitcpio.d/*.preset rw, /boot/vmlinuz-* rw, /boot/initramfs-*.img rw, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 6b53437d..9f0e8d1d 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -25,11 +25,13 @@ profile systemd-timesyncd @{exec_path} { /etc/adjtime r, /etc/systemd/timesyncd.conf r, + /etc/systemd/timesyncd.conf.d/{,**} r, owner /var/lib/systemd/timesync/clock rw, owner @{run}/systemd/timesync/synchronized rw, @{run}/systemd/netif/state r, + @{run}/resolvconf/*.conf r, include if exists } diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index c1a67ae1..b54d038d 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -29,7 +29,9 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, - # Silencer + # Inherit Silencer + deny network inet6 dgram, + deny network inet dgram, deny network inet6 stream, deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index a40de57c..7c8da2de 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -80,6 +80,7 @@ profile htop @{exec_path} { @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/*/name r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/**/hwmon/ r, @{sys}/devices/**/hwmon/{name,temp*} r, diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings index 4b98f522..abde85d6 100644 --- a/apparmor.d/profiles-m-r/pam/mappings +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -25,10 +25,10 @@ /{usr/,}bin/{c,k,tc,z}sh Px -> default_user, } -# morfik is a confined user. The hat contains only the permissions necessary +# USER is a confined user. The hat contains only the permissions necessary # to transition to gray's login shell. All other permissions have been # moved into the confined_user profile. -^morfik { +^USER { include include diff --git a/apparmor.d/profiles-s-z/xdg-mime b/apparmor.d/profiles-s-z/xdg-mime index 405442a1..0bce78a3 100644 --- a/apparmor.d/profiles-s-z/xdg-mime +++ b/apparmor.d/profiles-s-z/xdg-mime @@ -53,6 +53,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { # For shell pwd owner @{HOME}/ r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r, + @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r, + # file_inherit @{MOUNTS}/** rw, /dev/dri/card[0-9]* rw,