From 8250e202a07d730da66079a4b130d0469981f8c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Nov 2023 21:24:40 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/abstractions/chromium | 3 ++- apparmor.d/abstractions/systemd-common | 2 +- apparmor.d/groups/bus/dbus-run-session | 1 + .../groups/freedesktop/at-spi2-registryd | 3 ++- apparmor.d/groups/freedesktop/pipewire | 1 + .../groups/freedesktop/pipewire-media-session | 4 +--- .../freedesktop/xdg-desktop-portal-gnome | 2 ++ .../groups/freedesktop/xdg-document-portal | 23 +------------------ .../gnome/evolution-addressbook-factory | 2 ++ .../groups/gnome/evolution-calendar-factory | 2 ++ .../groups/gnome/evolution-source-registry | 2 ++ apparmor.d/groups/gnome/gdm-wayland-session | 1 + apparmor.d/groups/gnome/gnome-session-ctl | 8 ++++--- apparmor.d/groups/gnome/gnome-shell | 3 ++- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/goa-daemon | 2 ++ .../groups/gnome/gsd-print-notifications | 3 ++- apparmor.d/groups/gnome/gsd-printer | 2 ++ apparmor.d/groups/gnome/mutter-x11-frames | 2 ++ apparmor.d/groups/gnome/tracker-miner | 1 + apparmor.d/groups/gvfs/gvfsd-http | 2 ++ apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/profiles-a-f/apparmor_parser | 3 ++- apparmor.d/profiles-a-f/ffprobe | 2 +- apparmor.d/profiles-a-f/flatpak-portal | 5 ++-- .../profiles-a-f/flatpak-session-helper | 4 +++- apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-m-r/passimd | 1 + apparmor.d/profiles-m-r/pkexec | 16 +++++++------ apparmor.d/profiles-s-z/snapd-apparmor | 1 + apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/sudo | 7 +++--- apparmor.d/profiles-s-z/udisksd | 2 +- apparmor.d/profiles-s-z/useradd | 1 + apparmor.d/profiles-s-z/wireplumber | 2 +- 37 files changed, 67 insertions(+), 53 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 7b30bda9..11cd008c 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -15,6 +15,7 @@ signal (receive) set=(term,cont) peer=systemd, signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown, signal (receive) set=(term,kill) peer=gnome-shell, + signal (receive) set=(term,kill) peer=gnome-system-monitor, signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=su, diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 0507fd86..3c23ca7f 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -104,9 +104,10 @@ /etc/@{name}/{,**} r, /etc/fstab r, + /etc/gnutls/config r, + /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, /etc/opensc.conf r, - /etc/igfx_user_feature{,_next}.txt w, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common index 7c7ff862..bca8c9a5 100644 --- a/apparmor.d/abstractions/systemd-common +++ b/apparmor.d/abstractions/systemd-common @@ -3,7 +3,7 @@ # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - ptrace (read), + ptrace (read) peer=@{systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 3b9f943b..e3e09200 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -20,6 +20,7 @@ profile dbus-run-session @{exec_path} { @{bin}/gnome-session rix, @{bin}/gnome-shell rPx, @{bin}/gsettings rPx, + @{bin}/startplasma-wayland rPUx, @{lib}/gnome-session-binary rPx, # /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 0903ca32..e146a626 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -15,8 +15,9 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term hup) peer=gdm*, + signal (receive) set=(term hup kill) peer=@{systemd}, signal (receive) set=(term hup kill) peer=dbus-daemon, + signal (receive) set=(term hup kill) peer=gdm*, dbus bind bus=accessibility name=org.a11y.atspi.Registry, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 90b61ffa..39bc32b6 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -50,6 +50,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /usr/share/pipewire/pipewire*.conf r, + /etc/gnutls/config r, /etc/pipewire/client.conf r, /etc/pipewire/pipewire-pulse.conf.d/{,*} r, /etc/pipewire/pipewire.conf r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 39905a39..736d43b4 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -15,6 +15,7 @@ profile pipewire-media-session @{exec_path} { include include include + include network bluetooth raw, network bluetooth seqpacket, @@ -62,9 +63,7 @@ profile pipewire-media-session @{exec_path} { @{run}/systemd/users/@{uid} r, - @{sys}/class/video4linux/ r, @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/sound/**/pcm_class r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, @{sys}/devices/system/node/ r, @@ -72,7 +71,6 @@ profile pipewire-media-session @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/video@{int} rw, /dev/snd/ r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 00921e7a..606852d2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -134,6 +134,8 @@ profile xdg-desktop-portal-gnome @{exec_path} { /usr/share/X11/xkb/{,**} r, + /etc/gnutls/config r, + /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 967efdd5..e41b52b5 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -53,7 +53,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rCx -> flatpak, + @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, / r, @@ -72,27 +72,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { # file inherit owner /dev/tty@{int} rw, - profile flatpak { - include - - @{bin}/flatpak mr, - - / r, - /etc/flatpak/remotes.d/{,*} r, - - /var/lib/flatpak/{,**} rw, - - owner @{user_cache_dirs}/flatpak/{,**} r, - owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/flatpak/{,**} r, - - @{PROC}/sys/kernel/random/boot_id r, - - /dev/tty rw, - - include if exists - } - profile fusermount { include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index e4150fbb..3d63dbd3 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -49,6 +49,8 @@ profile evolution-addressbook-factory @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, + /etc/gnutls/config r, + owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index b9a9e66d..ee8e67d3 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -47,6 +47,8 @@ profile evolution-calendar-factory @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/gnutls/config r, + owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 6c8e769f..b8e32743 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -50,6 +50,8 @@ profile evolution-source-registry @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/gnutls/config r, + owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index ca1efc1b..62670ddf 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -17,6 +17,7 @@ profile gdm-wayland-session @{exec_path} { include include + signal (receive) set=(hup) peer=@{systemd}, signal (receive) set=term peer=gdm{,-session-worker}, signal (send) set=(term) peer=dbus-run-session, signal (send) set=(term) peer=dbus-daemon, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index b5ffa063..94c49a9a 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -11,6 +11,10 @@ profile gnome-session-ctl @{exec_path} { include include + signal (receive) set=(kill) peer=@{systemd}, + + unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon), + dbus send bus=session path=/org/freedesktop/systemd[0-9]* interface=org.freedesktop.systemd[0-9]*.Manager member={StartUnit,StopUnit} @@ -21,12 +25,10 @@ profile gnome-session-ctl @{exec_path} { member=Initialized peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon), - @{exec_path} mr, - owner @{run}/user/@{uid}/gnome-session-leader-fifo r, @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user/@{uid}/gnome-session-leader-fifo r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index da4a5478..a44a0bc6 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -468,7 +468,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{lib}/* rPUx, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx, + /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, /opt/*/**/*.png r, /snap/*/@{uid}/**.png r, @@ -500,6 +500,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, /etc/fstab r, + /etc/gnutls/config r, /etc/pipewire/client.conf.d/{,**} r, /etc/timezone r, /etc/udev/hwdb.bin r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 123a899f..ee3a87bf 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -53,6 +53,7 @@ profile gnome-software @{exec_path} { /etc/appstream.conf r, /etc/flatpak/remotes.d/{,**} r, + /etc/gnutls/config r, /etc/PackageKit/Vendor.conf r, /etc/pulse/client.conf r, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 83507c1e..8373ff25 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -65,6 +65,8 @@ profile goa-daemon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/gnutls/config r, + /var/lib/gdm{3,}/.config/dconf/user r, owner @{user_config_dirs}/goa-1.0/ rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 4a9871cd..0a020ab1 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -79,8 +79,9 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib}/gsd-printer rPx, - /etc/machine-id r, /etc/cups/client.conf r, + /etc/gnutls/config r, + /etc/machine-id r, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index ef20c976..ad4cbb5e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -52,6 +52,8 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gnutls/config r, + owner /tmp/[a-z0-9]* rw, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 7c170612..83ccf409 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -27,6 +27,8 @@ profile mutter-x11-frames @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /etc/gnutls/config r, + /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 25012770..8236971f 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -16,6 +16,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index abb98c80..9d5e0841 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,6 +24,8 @@ profile gvfsd-http @{exec_path} { @{exec_path} mr, + /etc/gnutls/config r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 2d50946e..7e49d30e 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -70,7 +70,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/wwan/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/pci[0-9]*/**/revision r, + @{sys}/devices/@{pci}/revision r, @{sys}/devices/virtual/net/*/ r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 604f451a..fc1542c3 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -118,6 +118,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { / r, /etc/ r, + /etc/gnutls/config r, /etc/iproute2/* r, /etc/machine-id r, /etc/network/interfaces r, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index ee7b5a19..f9ed8b15 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -19,9 +19,10 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/snapd/apparmor.d/{,**} r, - /etc/apparmor/{,**} r, /etc/apparmor.d/{,**} r, /etc/apparmor.d/cache.d/{,**} rw, + /etc/apparmor/{,**} r, + /etc/apparmor/cache.d/{,**} rw, /etc/apparmor/earlypolicy/{,**} rw, /usr/share/apparmor-features/{,**} r, diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index fcb30189..4f3701aa 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -20,7 +20,7 @@ profile ffprobe @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index e17b75de..f96928e5 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -32,9 +32,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/mime/mime.cache r, - owner @{run}/user/@{uid}/.flatpak/@{int}/bwrapinfo.json r, - owner @{run}/user/@{uid}/.flatpak/@{int}/info r, - owner @{run}/user/@{uid}/.flatpak/@{int}/pid r, + owner @{run}/user/@{uid}/.flatpak/@{int}/* r, + owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 3c2c35de..4bf7ca70 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -7,12 +7,14 @@ abi , include @{exec_path} = @{lib}/flatpak-session-helper -profile flatpak-session-helper @{exec_path} { +profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { include include include include + signal (send) set=(int) peer=@{systemd}, + @{exec_path} mr, @{bin}/dbus-monitor rPUx, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index fad36516..3e711268 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -87,6 +87,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, + /etc/gnutls/config r, /etc/lsb-release r, /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index e725ecfe..895e0433 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -24,6 +24,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /usr/share/dbus-1/interfaces/org.freedesktop.Passim.xml r, + /etc/gnutls/config r, /etc/passim.conf r, /var/lib/passim/{,**} r, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 96e5fa8e..b9dd97ce 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -16,20 +16,21 @@ profile pkexec @{exec_path} { include include - signal (send) set=(term, kill) peer=polkit-agent-helper, - capability audit_write, capability dac_read_search, + capability net_admin, capability setgid, # gdbus capability setuid, # gmain capability sys_ptrace, capability sys_resource, audit deny capability sys_nice, - ptrace (read), - network netlink raw, + signal (send) set=(term, kill) peer=polkit-agent-helper, + + ptrace (read), + dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll @@ -61,20 +62,21 @@ profile pkexec @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx, - /etc/shells r, @{etc_ro}/environment r, - /etc/default/locale r, @{etc_ro}/security/limits.d/{,*} r, + /etc/default/locale r, + /etc/shells r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid r, # file_inherit owner /dev/tty@{int} rw, owner @{HOME}/.xsession-errors w, # Silencer - deny @{user_share_dirs}/gvfs-metadata/* r, +deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index b23ea4fd..2f4556cf 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -16,6 +16,7 @@ profile snapd-apparmor @{exec_path} { @{bin}/systemd-detect-virt rPx, @{lib_dirs}/snapd/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index c6fb08ef..0d7f883c 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -42,6 +42,7 @@ profile spotify @{exec_path} { @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open, + /etc/gnutls/config r, /etc/libva.conf r, /etc/machine-id r, /etc/spotify-adblock/* r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 487cdf07..72a985a2 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -35,10 +35,10 @@ profile sudo @{exec_path} { ptrace (read), + signal (send,receive) peer=cockpit-bridge, signal (send) peer=unconfined, signal (send) set=(cont,hup) peer=su, - signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot,pacman}, - signal (send,receive) peer=cockpit-bridge, + signal (send) set=(winch), dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager @@ -50,12 +50,11 @@ profile sudo @{exec_path} { member={JobRemoved,StartTransientUnit}, @{exec_path} mr, + @{lib}/sudo/** mr, @{bin}/{,b,d,rb}ash rUx, @{bin}/{c,k,tc,z}sh rUx, - @{lib}/** rPUx, - @{lib}/sudo/** mr, /opt/*/** rPUx, /snap/snapd/@{int}@{bin}/snap rPUx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index fa041e79..99b4381a 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -53,7 +53,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount /media/cdrom[0-9]/, + umount /media/cdrom@{int}/, signal (receive) set=(int) peer=@{systemd}, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index d89bf6d8..6dbb6cd5 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -24,6 +24,7 @@ profile useradd @{exec_path} { @{exec_path} mr, + @{bin}/nscd rix, @{bin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 6e48b31c..f4d3304f 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -37,6 +37,7 @@ profile wireplumber @{exec_path} { /usr/share/spa-*/bluez[0-9]*/{,*} r, /usr/share/wireplumber/{,**} r, + /etc/gnutls/config r, /etc/machine-id r, /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw, @@ -61,7 +62,6 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/device:*/**/path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/product_name r,