diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index c749bf25..87865197 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -101,7 +101,7 @@ owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, - owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon rw, owner @{tmp}/tmpaddon-@{int} r, owner /dev/shm/org.chromium.@{rand6} rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index b5b119d0..65bc2837 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -44,8 +44,11 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, - @{PROC}/sys/kernel/overflowgid r, - @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/kernel/overflowgid r, + @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/user/max_user_namespaces r, + owner @{PROC}/@{pid}/fd/ r, + @{att}/@{PROC}/sys/user/max_user_namespaces rw, owner @{att}/@{PROC}/@{pid}/cgroup r, owner @{att}/@{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 1a4b83e2..e8f0328a 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -28,6 +28,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us + dbus receive bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index ecec3cb4..014f7afd 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,6 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + dbus receive bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index a569a734..0296a262 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,6 +36,7 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus + member=Hello peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index cf17391b..79886827 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -17,6 +17,7 @@ profile gnome-session @{exec_path} { @{shells_path} rix, @{bin}/cat rix, + @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, @{bin}/grep rix, @@ -32,6 +33,7 @@ profile gnome-session @{exec_path} { @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rPx, + @{bin}/xargs rix, @{bin}/dpkg-query rpx, @{bin}/flatpak rCx -> flatpak, @@ -57,6 +59,7 @@ profile gnome-session @{exec_path} { /etc/X11/Xsession.d/*im-config_launch r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7cc73949..f52340d4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -198,10 +198,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, - /usr/share/libinput*/ r, - /usr/share/libinput*/{,**/}@{int2}-*.quirks r, - /usr/share/libinput*/libinput/ r, + /usr/share/libinput*/{,**} r, /usr/share/libwacom/{,*.stylus,*.tablet} r, + /usr/share/poppler/{,**} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 10853ea8..75835395 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -17,7 +17,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (send) set=(kill) peer=loupe//bwrap, + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 2d06a9ab..cdc563e0 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/org.gnome.NautilusPreviewer -profile org.gnome.NautilusPreviewer @{exec_path} { +profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index de8f9ccb..63291093 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -26,6 +26,7 @@ profile networkd-dispatcher @{exec_path} { @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, + @{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix, /etc/networkd-dispatcher/{,**} r, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index e101fc06..52c2de34 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -84,6 +84,7 @@ profile yay @{exec_path} { @{bin}/gpg{,2} mr, @{bin}/gpg-agent rPx, + @{bin}/dirmngr rPx, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 2638ad0e..5ae75413 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -49,7 +49,7 @@ profile evince @{exec_path} { owner @{user_config_dirs}/evince/{,*} rw, owner @{tmp}/*.pdf r, - owner @{tmp}/evince-*/{,**} rw, + owner @{tmp}/evince-@{int}/{,**} rw, owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 774dfa9f..6585f638 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -87,10 +87,11 @@ profile mkinitramfs @{exec_path} { /var/tmp/ r, /var/tmp/modules_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 235ef208..6b0917f8 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -20,6 +20,8 @@ profile snap-seccomp @{exec_path} { @{lib_dirs}/**.so* mr, + @{bin}/getent rix, + /var/lib/snapd/seccomp/bpf/{,**} rw, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8ccbbf0f..41219a4f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -26,6 +26,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} mr, @{bin}/grep rix, @{open_path} rPx -> child-open-strict, @@ -44,6 +45,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, @{PROC}/pressure/* r, + @{PROC}/@{pid}/net/unix r, owner @{PROC}/@{pid}/clear_refs w, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index 46f296c4..ab82925a 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -76,6 +76,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner @{share_dirs}/*.dll r, owner @{share_dirs}/bin/ r, + owner @{share_dirs}/installscriptevalutor_log.txt rw, owner @{share_dirs}/legacycompat/ r, owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0378e62f..153ded88 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -45,7 +45,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sort rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @@ -63,30 +63,33 @@ profile tlp @{exec_path} flags=(attach_disconnected) { /var/lib/tlp/{,**} rw, /var/lib/power-profiles-daemon/state.ini rw, + owner /tmp/tlp-run.conf_tmp@{rand6} rw, + owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, @{run}/udev/data/+platform:* r, + @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/{,**/}power/control w, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/module/pcie_aspm/parameters/policy rw, - @{sys}/module/snd_hda_intel/parameters/power_save rw, - @{sys}/module/snd_hda_intel/parameters/power_save_controller rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, + @{sys}/module/*/parameters/power_save rw, + @{sys}/module/*/parameters/power_save_controller rw, + @{sys}/module/pcie_aspm/parameters/policy rw, owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, owner @{PROC}/sys/kernel/nmi_watchdog rw, owner @{PROC}/sys/vm/dirty_*_centisecs rw, owner @{PROC}/sys/vm/laptop_mode rw, - /dev/disk/by-id/ r, - /dev/tty rw, - profile systemctl { include include + capability net_admin, + include if exists }