diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index d483aec6..d6748c8d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -7,6 +7,12 @@ member=Get peer=(name=org.freedesktop.timedate1, label=systemd-timedated), + # FIXME: should be under the systemd-timedated label + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=unconfined), + dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 0ae9cfc6..e1ac3cc0 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -55,6 +55,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/attr/apparmor/current r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/oom_score_adj r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 3170e272..800a3a79 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -25,6 +25,7 @@ profile xrdb @{exec_path} { /usr/include/stdc-predef.h r, @{etc_ro}/X11/xdm/Xresources r, + @{etc_ro}/X11/Xresources r, /etc/X11/Xresources/* r, # The location of the .Xresources file diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 83fc727f..e5b48169 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -12,6 +12,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include include include include @@ -19,7 +20,7 @@ profile deja-dup-monitor @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup interface=org.gtk.Actions dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1e594187..f70e7209 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -30,7 +30,7 @@ profile gnome-control-center-goa-helper @{exec_path} { signal (send) set=(kill) peer=bwrap, - #aa:dbus: own bus=session name=org.gnome.Settings.GoaHelper + #aa:dbus own bus=session name=org.gnome.Settings.GoaHelper dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 573f1714..2b659cdc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -30,7 +30,7 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1d04ad91..17a2b54a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -75,10 +75,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Owned by gnome-shell - dbus bind bus=session name=org.gnome.*, - dbus (send, receive) bus=session path=/org/gnome/** - interface={org.gnome.*,org.freedesktop.{Application,DBus.Properties,DBus.ObjectManager},org.gtk.{Actions,Application}} - peer=(name="{:*,org.gnome.*,org.freedesktop.DBus}"), + #aa:dbus own bus=session name=org.gnome.keyring.SystemPrompter + #aa:dbus own bus=session name=org.gnome.Mutter + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions @@ -88,17 +87,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell - #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm - ## System bus + #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* - dbus (send, receive) bus=system path=/org/gnome/** - interface=org.gnome.* - peer=(name="{:*,org.gnome.*}"), - dbus (send, receive) bus=system path=/org/gnome/** - interface=org.freedesktop.DBus.Properties - peer=(name="{:*,org.gnome.*}"), + # System bus dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority @@ -145,7 +140,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} peer=(name=org.freedesktop.DBus, label=dbus-system), - ## Session bus + # Session bus dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index fcec0b96..d673e3bf 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -33,10 +33,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { interface={org.gnome.Nautilus,org.freedesktop.{Application,DBus.Properties},org.gtk.{Actions,Application}} peer=(name="{:*,org.gnome.Nautilus,org.freedesktop.DBus}"), - #aa:dbus: own bus=session name=org.freedesktop.FileManager1 + #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus: talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus: talk bus=session name=org.gtk.vfs label=gvfsd + #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label=gvfsd dbus receive bus=session path=/org/gnome/Nautilus/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 6067bd9e..b7becb2b 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -22,18 +22,25 @@ profile DiscoverNotifier @{exec_path} { @{bin}/apt-config rPx, + /usr/share/knotifications{5,6}/{,**} r, /usr/share/metainfo/{,**} r, - /etc/flatpak/remotes.d/ r, + /etc/machine-id r, + /etc/flatpak/remotes.d/{,**} r, /var/lib/flatpak/repo/{,**} r, + /var/cache/swcatalog/cache/ w, + owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/** r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/PlasmaDiscoverUpdates r, + owner @{user_config_dirs}/@{int} rw, + owner @{user_config_dirs}/PlasmaDiscoverUpdates rw, + owner @{user_config_dirs}/PlasmaDiscoverUpdates.@{rand6} rwl -> @{user_config_dirs}/@{int}, + owner @{user_config_dirs}/PlasmaDiscoverUpdates.lock rwk, owner @{user_share_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 640b82af..9f54ff8b 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -48,6 +48,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{exec_path} mr, + @{lib}/libheif/{,**} mr, + @{bin}/dolphin rPUx, @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge index 7a7dd6c2..7cab0a6a 100644 --- a/apparmor.d/groups/kde/xwaylandvideobridge +++ b/apparmor.d/groups/kde/xwaylandvideobridge @@ -15,6 +15,8 @@ profile xwaylandvideobridge @{exec_path} { @{exec_path} mr, + /etc/machine-id r, + owner @{user_cache_dirs}/xwaylandvideobridge/ rw, owner @{user_cache_dirs}/xwaylandvideobridge/** rwk, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 2948109d..83721600 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -40,16 +40,16 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*" r, /etc/mullvad-vpn/{,*} r, - /etc/mullvad-vpn/@{uid} rw, + /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.mullvadbackup rw, - /var/cache/mullvad-vpn/{,*} rw, - /var/log/mullvad-vpn/{,*} rw, + owner /var/cache/mullvad-vpn/{,*} rw, + owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, - @{run}/mullvad-vpn rw, + owner @{run}/mullvad-vpn rw, @{run}/NetworkManager/resolv.conf r, @{sys}/fs/cgroup/net_cls/ w, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 41ec8b06..8020d467 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -20,7 +20,7 @@ profile ssh-agent @{exec_path} { @{sh_path} rix, @{bin}/enlightenment_start rPUx, @{bin}/gpg-agent rPx, - @{bin}/im-launch rPUx, + @{bin}/im-launch rPx, @{bin}/kwalletaskpass rPUx, @{bin}/openbox-session rPx, @{bin}/startkde rPUx, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index aa7b21df..1f1052b7 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -33,6 +33,7 @@ profile systemd-journald @{exec_path} { @{exec_path} mr, /etc/systemd/journald.conf r, + /etc/systemd/journald.conf.d/{,**} r, @{run}/log/ rw, /{run,var}/log/journal/ rw, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 5f530c74..e3a7bad0 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -46,8 +46,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /etc/systemd/networkd.conf r, - /etc/systemd/network/ r, - /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r, + /etc/systemd/network/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 601921fa..6cdfdfb4 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -22,6 +22,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /etc/systemd/oomd.conf r, + /etc/systemd/oomd.conf.d/{,**} r, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 99905c45..1045ae59 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -45,6 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/cut rix, @{bin}/dmsetup rPUx, @{bin}/ethtool rix, + @{bin}/issue-generator rPUx, @{bin}/kmod rPx, @{bin}/less rPx -> child-pager, @{bin}/ln rix, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 150aa9d6..a3d46cb3 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -11,6 +11,7 @@ include profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include include + include include include include @@ -25,26 +26,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { network inet6 dgram, network netlink raw, - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Properties - member=GetAll, + #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - dbus send bus=system path=/ - interface=org.freedesktop.fwupd - member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata}, - - dbus send bus=system path=/org/freedesktop/systemd[0-9] - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/systemd[0-9] - interface=org.freedesktop.systemd[0-9].Manager - member={GetDefaultTarget,GetUnit}, - - dbus receive bus=system path=/ - interface=org.freedesktop.fwupd - member=Changed, - @{exec_path} mr, @{bin}/dbus-launch rCx -> dbus, diff --git a/apparmor.d/profiles-g-l/jackdbus b/apparmor.d/profiles-g-l/jackdbus new file mode 100644 index 00000000..121252db --- /dev/null +++ b/apparmor.d/profiles-g-l/jackdbus @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/jackdbus +profile jackdbus @{exec_path} { + include + + @{exec_path} mr, + + owner @{HOME}/.log/ w, + owner @{HOME}/.log/jack/{,**} rw, + + owner @{user_config_dirs}/jack/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index b24f1671..5bd39e11 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -22,6 +22,8 @@ profile snap @{exec_path} { capability setuid, capability sys_admin, + network netlink raw, + unix (send, receive) type=stream peer=(label=apt), mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, @@ -31,6 +33,10 @@ profile snap @{exec_path} { member=StartTransientUnit peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"), + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=:*, label="@{systemd}"), dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved