diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 8020d467..84da0a5f 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -18,14 +18,7 @@ profile ssh-agent @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/enlightenment_start rPUx, @{bin}/gpg-agent rPx, - @{bin}/im-launch rPx, - @{bin}/kwalletaskpass rPUx, - @{bin}/openbox-session rPx, - @{bin}/startkde rPUx, - @{bin}/startxfce4 rPUx, - @{bin}/sway rPUx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index 6228ff5c..63b0d400 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -11,7 +11,7 @@ include profile x11-xsession @{exec_path} { include include - include + include @{exec_path} r, @@ -54,7 +54,7 @@ profile x11-xsession @{exec_path} { @{bin}/openbox-session rPx, @{bin}/enlightenment_start rPUx, @{bin}/sway rPUx, - @{bin}/ssh-agent rPx, + @{bin}/ssh-agent rCx -> ssh-agent, @{bin}/sudo rPx, #aa:only whonix @{lib}/*/*.sh r, @@ -67,6 +67,31 @@ profile x11-xsession @{exec_path} { owner /tmp/file* rw, owner /tmp/tmp.@{rand10} rw, + owner /tmp/user/@{uid}/tmp.@{rand10} rw, + + profile ssh-agent { + include + + @{bin}/ssh-agent mr, + + audit @{bin}/gpg-agent rPx, + @{sh_path} rix, + @{bin}/enlightenment_start rPUx, + @{bin}/env rix, + @{bin}/im-launch rPx, + @{bin}/kwalletaskpass rPUx, + @{bin}/openbox-session rPx, + @{bin}/startkde rPUx, + @{bin}/startxfce4 rPUx, + @{bin}/sway rPUx, + + owner @{HOME}/.xsession-errors w, + + owner /tmp/ssh-*/ rw, + owner /tmp/ssh-*/agent.* rw, + + include if exists + } profile run-parts { include @@ -104,6 +129,8 @@ profile x11-xsession @{exec_path} { @{bin}/gpg-agent rix, + owner @{HOME}/.xsession-errors w, + owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,