diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index ced9cb1b..653221e1 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -4,24 +4,30 @@ # Minimal set of rules for all gnome based UI application. + include include include include include include - @{open_path} rPx -> child-open-help, - /usr/share/@{profile_name}/{,**} r, + / r, + owner @{user_cache_dirs}/@{profile_name}/ rw, - owner @{user_cache_dirs}/@{profile_name}/** rwlk, + owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**, owner @{user_config_dirs}/@{profile_name}/ rw, - owner @{user_config_dirs}/@{profile_name}/** rwlk, + owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**, owner @{user_share_dirs}/@{profile_name}/ rw, - owner @{user_share_dirs}/@{profile_name}/** rwlk, + owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 54eeb79e..a64850f1 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -10,7 +10,6 @@ include profile epiphany @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -33,6 +32,8 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{open_path} rPx -> child-open, + @{bin}/bwrap rix, @{bin}/xdg-dbus-proxy rix, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, @@ -64,7 +65,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 17fcdc4f..2e553d9f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -21,6 +21,8 @@ profile gnome-calculator @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 16cfa77c..741be770 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/gnome-calendar profile gnome-calendar @{exec_path} { include - include include - include include include include @@ -40,6 +38,7 @@ profile gnome-calendar @{exec_path} { peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, + @{open_path} rPx -> child-open-help, /usr/share/evolution-data-server/{,**} r, /usr/share/libgweather/Locations.xml r, diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index da42a2ef..fd6ded04 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,9 +10,7 @@ include profile gnome-clocks @{exec_path} { include include - include include - include include include include @@ -24,6 +22,7 @@ profile gnome-clocks @{exec_path} { #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index 66651f3a..b6474cf5 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/gnome-contacts profile gnome-contacts @{exec_path} { include - include - include include include include @@ -26,6 +24,7 @@ profile gnome-contacts @{exec_path} { #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon @{exec_path} mr, + @{open_path} rPx -> child-open-help, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_share_dirs}/folks/relationships.ini r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 29899f8f..f1e229b5 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -16,6 +16,7 @@ profile gnome-extensions-app @{exec_path} { @{sh_path} rix, @{bin}/gjs-console rix, + @{open_path} rPx -> child-open-help, /usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index 7d33b310..af44afbe 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -24,6 +24,7 @@ profile gnome-firmware @{exec_path} { #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-font-viewer b/apparmor.d/groups/gnome/gnome-font-viewer index 2e16f9f4..0895bd7f 100644 --- a/apparmor.d/groups/gnome/gnome-font-viewer +++ b/apparmor.d/groups/gnome/gnome-font-viewer @@ -12,6 +12,7 @@ profile gnome-font-viewer @{exec_path} { include @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index ae81fc82..5e3ab03b 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -13,6 +13,7 @@ profile gnome-logs @{exec_path} { include @{exec_path} mr, + @{open_path} rPx -> child-open-help, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 1f2faafb..294d6229 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -22,6 +22,8 @@ profile gnome-maps @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + audit @{bin}/gjs-console rix, owner @{user_pictures_dirs}/** rw, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index a40c25fd..834e6703 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -28,6 +28,9 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/ r, @{bin}/env r, @{bin}/python3.@{int} rix, diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes index 5ebd788c..90025944 100644 --- a/apparmor.d/groups/gnome/gnome-recipes +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -24,6 +24,7 @@ profile gnome-recipes @{exec_path} { @{exec_path} mr, @{bin}/tar rix, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index efbb55f3..22823753 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -19,6 +19,8 @@ profile gnome-text-editor @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour index 1dcb2af6..8ae95f4a 100644 --- a/apparmor.d/groups/gnome/gnome-tour +++ b/apparmor.d/groups/gnome/gnome-tour @@ -13,6 +13,7 @@ profile gnome-tour @{exec_path} { include @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index 11e75cb2..c73ff0a1 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -23,6 +23,7 @@ profile gnome-weather @{exec_path} { @{exec_path} mr, @{bin}/gjs-console rix, + @{open_path} rPx -> child-open-help, /usr/share/org.gnome.Weather/{,**} r, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 71d8f750..d9b709f9 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -10,8 +10,6 @@ include profile yelp @{exec_path} { include include - include - include include network netlink raw, @@ -19,6 +17,7 @@ profile yelp @{exec_path} { #aa:dbus own bus=session name=org.gnome.Yelp @{exec_path} mr, + @{open_path} rPx -> child-open-help, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -32,7 +31,7 @@ profile yelp @{exec_path} { @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, - owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 92977471..e66d8d66 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -17,6 +17,8 @@ profile baobab @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + # As a directory tree analyzer it needs full access to the filesystem / r, /** r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 57eb19ae..1ea3b8e7 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include include include include @@ -23,6 +21,8 @@ profile file-roller @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + # Archivers @{bin}/7z rix, @{bin}/7zz rix, @@ -38,8 +38,6 @@ profile file-roller @{exec_path} { @{bin}/zstd rix, @{lib}/p7zip/7z rix, - / r, - @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index 0474684e..b1c48540 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -32,6 +32,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{bin}/gjs-console rix, @{bin}/xdg-dbus-proxy rix, @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open-help, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -65,7 +66,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 20eaa34a..637cc097 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -23,23 +23,17 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/xml/iso-codes/{,**} r, + @{open_path} rPx -> child-open-help, - / r, + /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ r, diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot index e7d84b0b..9c5d5b9d 100644 --- a/apparmor.d/profiles-s-z/snapshot +++ b/apparmor.d/profiles-s-z/snapshot @@ -17,11 +17,11 @@ profile snapshot @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + owner @{user_pictures_dirs}/Camera/{,**} rw, owner @{user_videos_dirs}/Camera/{,**} rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 7a7dd709..a71a80c0 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,8 +10,6 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include - include include include include @@ -30,6 +28,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, + @{open_path} rPx -> child-open-help, /usr/share/xml/iso-codes/{,**} r, /usr/share/grilo-plugins/{,**} r, @@ -56,7 +55,6 @@ profile totem @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/task/@{tid}/comm w, deny @{user_share_dirs}/gvfs-metadata/* r,