diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 972a146c..800ebae3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -82,18 +82,20 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, /etc/default/grub.d/* r, - /etc/dpkg/origins/{debian,ubuntu,} r, + /etc/dpkg/origins/{,debian,ubuntu} r, + /etc/fwupd/{,**} r, /etc/grub.d/* r, /etc/issue{.net,} r, /etc/kernel/*.d/*grub* r, /etc/legal r, /etc/lsb-release r, - /etc/profile.d/* r, - /etc/update-manager/{,**} r, - /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r, - /etc/update-motd.d/* r, - /etc/machine-id r, + /etc/pki/fwupd-metadata/{,**} r, + /etc/pki/fwupd/{,**} r, + /etc/profile.d/* r, + /etc/security/capability.conf r, + /etc/update-manager/{,**} r, + /etc/update-motd.d/* r, /var/log/unattended-upgrades/{,**} rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index bdebbdb0..dcd281a6 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -164,22 +164,24 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # As a temporary solution - see issue #128 @{bin}/keepassxc-proxy rix, + /usr/share/@{firefox_name}/{,**} r, /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, - /usr/share/@{firefox_name}/{,**} r, + /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/libdrm/*.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, /etc/@{firefox_name}/{,**} r, - /etc/fstab r, /etc/cups/client.conf r, + /etc/fstab r, /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, /etc/mailcap r, /etc/mime.types r, /etc/opensc.conf r, + /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, /var/lib/nscd/services r, @@ -193,6 +195,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index b1697fc7..7c5fb559 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -18,13 +18,16 @@ profile firefox-vaapitest @{exec_path} { include include + network netlink raw, + @{exec_path} mr, /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, - owner @{firefox_config_dirs}/firefox/*/.parentlock rw, - owner @{firefox_config_dirs}/firefox/*/startupCache/*Cache* r, + deny owner @{firefox_config_dirs}/firefox/*/.parentlock rw, + deny owner @{firefox_config_dirs}/firefox/*/startupCache/** r, + deny owner @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r, owner /tmp/firefox/.parentlock rw, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index 4a58e7ed..a63c3331 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -9,13 +9,14 @@ include @{exec_path} = @{bin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, + @{bin}/{,ba,da}sh rix, @{bin}/{m,g,}awk rix, @{bin}/grep rix, @{bin}/plymouth rPx, - @{bin}/{,ba,da}sh rix, /etc/plymouth/{,*} r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index e642b30d..d1afed79 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -50,9 +50,13 @@ profile polkit-kde-authentication-agent @{exec_path} { owner /tmp/#@{int} rw, owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, + owner /tmp/xauth_@{rand6} r, @{run}/systemd/users/@{uid} r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 6a868324..9a2d133d 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 53fe9aeb..c6137bda 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -12,6 +12,8 @@ profile xrdb @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, @{bin}/{,*-}cpp-[0-9]* rix, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 85c168bb..bca531ac 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -19,10 +19,14 @@ profile xsetroot @{exec_path} { /etc/X11/cursors/*.theme r, + owner @{HOME}/.icons/** r, owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, + owner @{user_share_dirs}/sddm/xorg-session.log w, + owner /tmp/xauth_@{rand6} r, + @{run}/sddm/\{@{uuid}\} r, @{run}/user/@{uid}/xauth_@{rand6} rl, @{run}/sddm/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 0ffe712c..1e8e85d2 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -15,13 +15,13 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*", unix (send,receive) type=stream addr=none peer=(label=gnome-shell), @{exec_path} mrix, @@ -33,7 +33,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, /usr/share/libdrm/*.ids r, - /usr/share/X11/xkb/rules/evdev r, owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index b38531f1..c701c6e3 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -55,6 +55,7 @@ profile gnome-music @{exec_path} { owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 490d40b1..2dc8a7dd 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -19,6 +19,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -478,6 +479,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /opt/*/**/*.png r, /snap/*/@{uid}/**.png r, /usr/share/{,zoneinfo-}icu/{,**} r, + /usr/share/**.{png,jpg,svg} r, /usr/share/app-info/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -498,15 +500,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/libinput*/libinput/ r, /usr/share/libwacom/{,*.stylus,*.tablet} r, /usr/share/pipewire/client.conf r, - /usr/share/plymouth/*.png r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - # freedesktop.org-strict - /usr/share/*ubuntu/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /.flatpak-info r, /etc/fstab r, /etc/udev/hwdb.bin r, @@ -547,12 +544,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**/ r, - owner @{HOME}/.var/app/**.{png,jpg} r, + owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{user_games_dirs}/**/*.{png,jpg} r, - owner @{user_music_dirs}/**/*.{png,jpg} r, + owner @{user_games_dirs}/**.{png,jpg,svg} r, + owner @{user_music_dirs}/**.{png,jpg,svg} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, owner @{user_config_dirs}/ibus/ w, @@ -627,9 +624,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/drm/ r, - @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, + @{sys}/devices/pci[0-9]*/**/input@{int}/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, - @{sys}/devices/platform/**/input[0-9]*/{properties,name} r, + @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index d1313ae3..c8ee845c 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -185,8 +185,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner /dev/tty@{int} rw, - @{run}/udev/data/+sound:card@{int} r, # For sound @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** @@ -199,5 +197,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 8713ff7c..e96ef7d5 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -187,7 +187,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+backlight:* r, @{run}/udev/data/+drm:card* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+leds:* r, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index b6fb6267..8bf6eed4 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -121,12 +121,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab r, - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 2c8bfdeb..06233ed9 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -39,7 +39,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/nmcli rix, @{bin}/readlink rix, @{bin}/rm rix, - @{bin}/run-parts rPx, + @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rPx -> child-systemctl, @{bin}/systemd-cat rPx, @@ -66,5 +66,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + profile run-parts { + include + + /{usr/,}bin/run-parts mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 60bc001e..93b3fc73 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -54,6 +54,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, /etc/iproute2/rt_tables r, + /etc/apt/sources.list.d/tailscale.list r, @{etc_rw}/resolv.*.conf rw, @{etc_rw}/resolv.conf rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index df7209e4..89d2f44e 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -49,8 +49,6 @@ profile pacman @{exec_path} { @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - @{bin}/sync mrix, - # Pacman hooks & install scripts @{bin}/{,ba}sh rix, @{bin}/appstreamcli rPx, @@ -101,16 +99,17 @@ profile pacman @{exec_path} { @{bin}/sbctl rPx, @{bin}/sed rix, @{bin}/setcap rix, + @{bin}/sync rix, @{bin}/sysctl rPx, @{bin}/systemctl rPx -> child-systemctl, @{bin}/systemd-* rPx, @{bin}/touch rix, @{bin}/tput rix, - @{bin}/update-ca-trust rPx, @{bin}/uname rPx, + @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, - @{bin}/update-mime-database rPx, @{bin}/update-grub rPx, + @{bin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/xmlcatalog rix, @{lib}/ghc-*/bin/ghc-pkg rix, @@ -189,6 +188,8 @@ profile pacman @{exec_path} { deny network inet stream, deny network inet6 stream, + + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop index ee0fc15a..219736e0 100644 --- a/apparmor.d/groups/systemd/systemd-cgtop +++ b/apparmor.d/groups/systemd/systemd-cgtop @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/systemd-cgtop profile systemd-cgtop @{exec_path} { include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index ce0f2efa..b3dc716c 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, + @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 4ac52cd3..a7d3fa06 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -83,22 +83,23 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/static_node-tags/uaccess/ r, @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs - @{run}/udev/data/+input* r, # For mouse, keyboard, touchpad - @{run}/udev/data/+pci* r, - @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* - @{run}/udev/data/c14:[0-9]* r, # Open Sound System (OSS) - @{run}/udev/data/c21:[0-9]* r, # Generic SCSI access - @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* - @{run}/udev/data/c116:[0-9]* r, # For ALSA - @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card* - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c21:@{int} r, # Generic SCSI access + @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled index b3ebe043..f3d90068 100644 --- a/apparmor.d/groups/systemd/systemd-portabled +++ b/apparmor.d/groups/systemd/systemd-portabled @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/systemd/systemd-portabled profile systemd-portabled @{exec_path} { include + include capability sys_ptrace, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 5a23844a..8a26c538 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -49,6 +49,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/ r, @{sys}/kernel/security/{,**} rw, + @{sys}/class/net/ r, @{sys}/devices/system/cpu/microcode/reload w, @{PROC}/@{pid}/net/unix r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index ccad90bb..b25ae070 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -23,6 +23,8 @@ profile apt-esm-json-hook @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{run}/cloud-init/cloud-id-nocloud r, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 8a210d3f..53a9461b 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -12,7 +12,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{bin}/dumpe2fs rPx, + @{bin}/dumpe2fs rPx, @{bin}/{,ba,da}sh rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 0fa35270..4428eedb 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -32,7 +32,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount fstype=overlayfs overlay -> /var/lib/docker/overlay2/*/merged/, + mount fstype=overlayfs -> /var/lib/docker/overlay2/*/merged/, mount options=(rw, bind) -> /run/docker/netns/*, mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/, mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/, diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 8f76fc1b..19dc83e2 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -23,18 +23,18 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /etc/audit/{,**} r, - /var/log/audit/{,**} rw, - /etc/machine-id r, + /var/log/audit/{,**} rw, + + @{run}/systemd/journal/dev-log w, owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, - @{run}/systemd/journal/dev-log w, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/sessionid r, owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/sessionid r, include if exists } diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 6f864fdd..d6220546 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -25,7 +25,7 @@ profile augenrules @{exec_path} { @{bin}/rm rix, /etc/audit/audit.rules rw, - /etc/audit/rules.d/ r, + /etc/audit/rules.d/{,*} r, owner /tmp/aurules.* rw, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 19b14fe6..25e1c22c 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -15,18 +15,6 @@ profile fusermount @{exec_path} { capability dac_read_search, capability sys_admin, - @{exec_path} mr, - - /etc/fuse.conf r, - /etc/machine-id r, - - # Where to mount ISO files - owner @{HOME}/*/ rw, - owner @{HOME}/*/*/ rw, - owner @{user_cache_dirs}/**/ rw, - @{run}/user/@{uid}/doc/ r, - /var/tmp/flatpak-cache-*/*/ r, - # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, mount fstype={fuse,fuse.*} -> @{HOME}/*/*/, @@ -45,6 +33,21 @@ profile fusermount @{exec_path} { umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, + @{exec_path} mr, + + /etc/fuse.conf r, + /etc/machine-id r, + + /var/tmp/flatpak-cache-*/*/ r, + + # Where to mount ISO files + owner @{HOME}/*/ rw, + owner @{HOME}/*/*/ rw, + + owner @{user_cache_dirs}/**/ rw, + + @{run}/user/@{uid}/doc/ r, + @{PROC}/@{pid}/mounts r, /dev/fuse rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0939a251..5a2ef07b 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -33,10 +33,13 @@ profile git @{exec_path} { # the most similar commands, which it thinks can be used instead. Git binaries are all under # /usr/bin/ , so allow only this location. @{bin}/ r, - deny /{usr/,}sbin/ r, - deny /usr/local/{s,}bin/ r, + deny @{bin}/*/ r, deny /usr/games/ r, + deny /usr/local/{s,}bin/ r, deny /usr/local/games/ r, + deny /var/lib/flatpak/exports/bin/ r, + deny owner @{HOME}/.go/bin/ r, + deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" @{bin}/{,ba,da}sh rix, @@ -97,7 +100,7 @@ profile git @{exec_path} { owner /tmp/* rw, owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**, - owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature + owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /tmp/git-commit-msg-.txt rw, # For android studio deny @{user_share_dirs}/gvfs-metadata/* r, @@ -112,7 +115,7 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/.git_vtag_tmp* r, + owner /tmp/.git_vtag_tmp@{rand6} r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 9ccd2f26..3e43e51f 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -35,6 +35,8 @@ profile hugo @{exec_path} { owner @{user_projects_dirs}/**/.hugo_build.lock rwk, owner @{user_projects_dirs}/**/go.{mod,sum} rwk, + owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, + owner /tmp/hugo_cache/{,**} rwkl, owner /tmp/go-codehost-[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 2fc5af4c..67359d3d 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -20,6 +20,7 @@ profile im-launch @{exec_path} { @{bin}/true rix, @{bin}/sed rix, @{bin}/dpkg-query rpx, + @{bin}/uim-toolbar-gtk3 rPUx, /usr/share/im-config/{,**} r, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 68a7257e..f40bdd2d 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -58,6 +58,12 @@ profile keepassxc @{exec_path} { owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, + + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/*.csv rw, + owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, + owner @{user_password_store_dirs}/#@{int} rw, + owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, @@ -68,10 +74,6 @@ profile keepassxc @{exec_path} { owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int}, owner @{user_config_dirs}/keepassxc/ rw, owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int}, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/*.csv rw, - owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, - owner @{user_password_store_dirs}/#@{int} rw, owner /tmp/.[a-zA-Z]*/{,s} rw, owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int}, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 423f57e1..4cc9c3af 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -21,6 +21,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { capability sys_module, capability syslog, + network inet raw, + unix (receive) type=stream, @{exec_path} mrix, @@ -43,7 +45,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /var/lib/dkms/**/module/*.ko r, /var/lib/dpkg/triggers/* r, /var/lib/ebtables/lock r, - /var/tmp/dracut.*/{,**} rw, + + owner /var/tmp/*modules*/{,**} rw, + owner /var/tmp/dracut.*/{,**} rw, + owner /boot/System.map-* r, owner /tmp/mkinitcpio.*/{,**} rw, diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/profiles-g-l/locale-gen index 7d816e54..6344d7eb 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -10,16 +10,20 @@ include profile locale-gen @{exec_path} { include include + include + include capability dac_read_search, @{exec_path} mr, @{bin}/{,ba}sh rix, + @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, @{bin}/rm rix, @{bin}/sed rix, + @{bin}/sort rix, @{lib}/locale/locale-archive rwl, @{lib}/locale/locale-archive* rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6e961ec6..add0d61c 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -105,8 +105,9 @@ profile mkinitramfs @{exec_path} { @{lib}/initramfs-tools/bin/* mr, @{lib}/@{multiarch}/ld-*.so* rix, - @{lib}{,x}32/ld-*.so{,.2} rix, + @{lib}/ld-*.so{,.2} rix, + include if exists } profile ldconfig { @@ -133,6 +134,7 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw, owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw, + include if exists } profile find { @@ -151,6 +153,7 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_*/{,**/} r, + include if exists } profile kmod { @@ -169,9 +172,11 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r, owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index fe43edf0..0e54b6a7 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -50,7 +50,7 @@ profile pass @{exec_path} { # Pass extensions @{bin}/oathtool rix, # pass-otp - @{bin}/python3.[0-9]* rPx -> pass-import, # pass-import + @{bin}/python3.@{int} rPx -> pass-import, # pass-import @{bin}/qrencode rPUx, # pass-otp @{bin}/tomb rPUx, # pass-tomb @@ -59,8 +59,8 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/{,**} rw, owner /dev/shm/pass.*/{,*} rw, - @{PROC}/@{pids}/cmdline r, @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, @@ -122,7 +122,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, - owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature + owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature include if exists } @@ -141,6 +141,9 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.*/{,*} rw, + owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + + owner /dev/pts/@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 497cecf6..097e1934 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -29,7 +29,7 @@ profile passwd @{exec_path} { /etc/nshadow rw, /etc/shadow rw, /etc/shadow- rw, - /etc/shadow.[0-9]* rw, + /etc/shadow.@{int} rw, /etc/shadow.lock rwl, /etc/shadow+ rw, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 308d8689..bd3da6f4 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -19,10 +19,10 @@ profile pwck @{exec_path} { /etc/login.defs r, /etc/.pwd.lock wk, /etc/passwd rw, - /etc/passwd.[0-9]* rw, + /etc/passwd.@{int} rw, /etc/passwd.lock wl, /etc/shadow rw, - /etc/shadow.[0-9]* rw, + /etc/shadow.@{int} rw, /etc/shadow.lock wl, /etc/machine-id r, diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index ec76dd79..d1e6abb7 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -51,7 +51,7 @@ profile repo @{exec_path} { /usr/share/git-core/{,**} r, - owner /tmp/.git_vtag_tmp* rw, + owner /tmp/.git_vtag_tmp@{rand6} rw, owner /tmp/ssh-*/ rw, owner @{PROC}/@{pid}/fd/ r, @@ -82,7 +82,7 @@ profile repo @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, - owner /tmp/.git_vtag_tmp* r, + owner /tmp/.git_vtag_tmp@{rand6} r, } diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver index 23086db2..07690f08 100644 --- a/apparmor.d/profiles-s-z/ssserver +++ b/apparmor.d/profiles-s-z/ssserver @@ -13,13 +13,13 @@ profile ssserver @{exec_path} { include include - @{exec_path} mr, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, + @{exec_path} mr, + /etc/shadowsocks-rust/server/*/ss.json{,5} r, owner @{user_config_dirs}/shadowsocks-rust/server/*/ss.json{,5} r, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 5056edb1..dff551e8 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -181,9 +181,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) @{sys}/class/input/ r, @{sys}/class/net/ r, @{sys}/class/sound/ r, - @{sys}/devices/**/input[0-9]*/ r, - @{sys}/devices/**/input[0-9]*/capabilities/* r, - @{sys}/devices/**/input/input[0-9]*/ r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/class r, @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/report_descriptor r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 95703701..253f5513 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -83,7 +83,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix, @{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix, @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix, - @{lib}exec/steam-runtime-tools*/* mrix, + @{lib}/steam-runtime-tools*/* mrix, @{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix, @{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix, @@ -189,14 +189,14 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /tmp/miles_image_* mr, owner /tmp/pressure-vessel-*/{,**} rwl, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c116:@{int} r, # for ALSA + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, @{sys}/ r, @{sys}/bus/ r, @@ -204,10 +204,10 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{sys}/class/hidraw/ r, @{sys}/class/input/ r, @{sys}/class/sound/ r, - @{sys}/devices/**/input[0-9]*/ r, - @{sys}/devices/**/input[0-9]*/**/{vendor,product} r, - @{sys}/devices/**/input[0-9]*/capabilities/* r, - @{sys}/devices/**/input/input[0-9]*/ r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/sound/card[0-9]*/** r, @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index bf5163ab..cc0a8651 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -25,19 +25,18 @@ profile thermald @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus (bind) bus=system - name=org.freedesktop.thermald, + dbus (bind) bus=system name=org.freedesktop.thermald, @{exec_path} mr, + /etc/thermald/thermal-conf.xml r, + /etc/thermald/thermal-cpu-cdev-order.xml r, + owner @{run}/thermald/ rw, owner @{run}/thermald/thd_preference.conf rw, owner @{run}/thermald/thd_preference.conf.save w, owner @{run}/thermald/thermald.pid rwk, - /etc/thermald/thermal-conf.xml r, - /etc/thermald/thermal-cpu-cdev-order.xml r, - @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, @{sys}/devices/platform/{,*} r, @@ -51,10 +50,10 @@ profile thermald @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/intel_pstate/status r, @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r, - @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_max_uw r, - @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_min_uw r, - @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r, - @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r, + @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_max_uw r, + @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_min_uw r, + @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmax_us r, + @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmin_us r, @{sys}/devices/**/hwmon@{int}/name r, @{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r, @@ -65,26 +64,25 @@ profile thermald @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/thermal/**/{type,temp} r, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/mode rw, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/policy rw, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_hyst r, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/mode rw, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/policy rw, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_temp rw, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_type r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_hyst r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/cdev[0-9]*_trip_point r, - @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r, - @{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw, - @{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r, + @{sys}/devices/virtual/thermal/cooling_device[@{int}/ r, + @{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw, + @{sys}/devices/virtual/thermal/cooling_device@{int}/max_state r, @{sys}/devices/virtual/powercap/intel-rapl/ r, @{sys}/devices/virtual/powercap/intel-rapl/**/name r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/ r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/* r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_time_window_us w, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_power_limit_uw w, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/enabled w, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/ r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/* r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/constraint_* w, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/enabled w, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r, /dev/acpi_thermal_rel rw, /dev/input/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index b761b8a0..8ad33698 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -208,8 +208,8 @@ profile thunderbird @{exec_path} { deny @{thunderbird_config_dirs}/*.*/pepmda/** rwklmx, deny @{thunderbird_lib_dirs}/** w, deny /dev/ r, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny /dev/urandom w, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index c9007679..92d56011 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -20,6 +21,9 @@ profile update-alternatives @{exec_path} { /var/lib/dpkg/alternatives/ r, /var/lib/dpkg/alternatives/* rw, + owner /var/lib/alternatives/ r, + owner /var/lib/alternatives/* rw, + @{bin}/* w, @{bin}/*.dpkg-tmp rw, @@ -28,7 +32,7 @@ profile update-alternatives @{exec_path} { /usr/** rw, - /lib/firmware/* rw, + @{lib}/firmware/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 8fc3b46a..48e80589 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -60,11 +60,6 @@ profile vidcutter @{exec_path} { owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int}, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, - owner @{user_cache_dirs}/qtshadercache/#@{int} rw, owner @{user_config_dirs}/qt5ct/{,**} r, diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index c65d199d..16409d3d 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -15,6 +15,9 @@ profile vlc-cache-gen @{exec_path} { @{lib}/vlc/plugins/{,*} rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index b0f710d8..77fcb60d 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -24,12 +24,12 @@ profile wireplumber @{exec_path} { /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, - /etc/machine-id r, - /usr/share/alsa-card-profile/{,**} r, /usr/share/spa-*/bluez[0-9]*/{,*} r, /usr/share/wireplumber/{,**} r, + /etc/machine-id r, + /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw, owner @{user_state_dirs}/ w,