diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 64524ed2..8a56a9b8 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -48,6 +48,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{desktop_config_dirs}/dconf/user r, + owner @{HOME}/.Xauthority r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 78ee780b..c6e966b0 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -32,6 +32,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { network netlink raw, signal (send) set=(term) peer=lightdm-*-greeter, + signal (send) set=(term) peer=xorg, signal (receive) set=(usr1) peer=xorg, @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 5150755a..affeb182 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -11,7 +11,6 @@ include profile fc-cache @{exec_path} { include include - include include capability dac_read_search, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 34352654..3fbb2389 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -18,6 +18,7 @@ profile plymouthd @{exec_path} { capability sys_admin, capability sys_chroot, capability sys_tty_config, + capability syslog, network netlink raw, @@ -63,6 +64,7 @@ profile plymouthd @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, + /dev/kmsg rw, /dev/ptmx rw, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index f7581ee4..6700c0b2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-rewrite-launchers profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index bb84806e..f1e1d0af 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -13,7 +13,7 @@ profile xdg-email @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index e5302894..7d9536f9 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -20,9 +20,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) { include include + capability chown, capability dac_override, capability dac_read_search, capability ipc_owner, + capability mknod, capability net_admin, capability perfmon, capability setgid, diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 65c4e13f..0e56255c 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -55,8 +55,7 @@ profile gdm-session @{exec_path} { owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{run}/gdm{3,}/custom.conf r, - + @{run}/gdm{3,}/custom.conf r, owner @{run}/user/@{uid}/gdm/ w, owner @{run}/user/@{uid}/gdm/Xauthority rw, # only: xorg diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index cdf7b18b..b5d630ce 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -39,6 +39,8 @@ profile gnome-calendar @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + /usr/share/evolution-data-server/{,**} r, /usr/share/libgweather/Locations.xml r, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index e73e206a..de5e7637 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -27,6 +27,8 @@ profile gnome-characters @{exec_path} { @{bin}/gjs-console rix, + @{open_path} rPx -> child-open-help, + /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r, /usr/share/nvidia/nvidia-application-profiles-*-rc r, diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index 116b0e80..b3dc05ee 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -29,6 +29,8 @@ profile gnome-contacts @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index f70e7209..b858ab8e 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -41,7 +41,7 @@ profile gnome-control-center-goa-helper @{exec_path} { @{bin}/bwrap rPUx, - @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, /usr/share/cracklib/* r, /usr/share/publicsuffix/public_suffix_list.dafsa r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 65be05eb..c281625e 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -19,7 +19,7 @@ profile gnome-disks @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-help, owner @{user_cache_dirs}/gnome-disks/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index a7be9c98..bcb8ef3f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -44,7 +44,7 @@ profile gnome-extension-gsconnect @{exec_path} { @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-help, @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index 4d19de4d..333067b9 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -26,7 +26,7 @@ profile gnome-extension-manager @{exec_path} { @{bin}/gjs-console rix, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-help, /usr/share/gnome-shell/org.gnome.Shell.Extensions r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index a7aac540..d4c7c65a 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -19,7 +19,7 @@ profile gnome-extensions-app @{exec_path} { @{sh_path} rix, @{bin}/gjs-console rix, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-help, /usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 4a277ce0..4b5eb10a 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -31,6 +31,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{bin}/python3.@{int} rix, @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{open_path} rPx -> child-open-help, + /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, /usr/share/tracker3/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes index e800410d..fa79fcb7 100644 --- a/apparmor.d/groups/gnome/gnome-recipes +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -25,6 +25,8 @@ profile gnome-recipes @{exec_path} { @{bin}/tar rix, + @{open_path} rPx -> child-open-help, + /usr/share/gnome-recipes/{,**} r, owner @{user_cache_dirs}/gnome-recipes/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 98d09551..df7560ec 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -83,8 +83,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, - owner /tmp/dirs-@{rand6} rw, - owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, @@ -122,6 +120,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{bin}/blueman-applet rPx, @{bin}/firewall-applet rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/gnome-shell rPx, @{bin}/gnome-software rPx, @{bin}/im-launch rPx, @{bin}/keepassxc rPx, @@ -153,6 +152,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{lib}/kdeconnectd rPUx, @{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx, + /dev/tty@{int} rw, + include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index b69f7f76..5481bbee 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -21,6 +21,8 @@ profile gnome-tweaks @{exec_path} { @{bin}/ps rPx, @{bin}/python3.@{int} rix, + @{open_path} rPx -> child-open-help, + @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /usr/share/gnome-tweaks/{,**} r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index b7fec6e7..82dfac0d 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -30,7 +30,7 @@ profile kgx @{exec_path} { @{bin}/nvtop rPx, @{bin}/vim rUx, - @{open_path} rPx -> child-open, + @{open_path} rPx -> child-open-help, owner /tmp/#@{int} rw, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index bdc95e7e..cdd9b830 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -22,6 +22,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, + @{open_path} rPx -> child-open-help, /usr/share/glycin-loaders/{,**} r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 76dfccd7..8c89c058 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -32,6 +32,8 @@ profile seahorse @{exec_path} { @{bin}/gpg{,2} rPx, @{bin}/gpgsm rPx, + @{open_path} rPx -> child-open-help, + /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index c982f9d5..c5a1b83c 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -10,6 +10,7 @@ include profile mkinitcpio @{exec_path} flags=(attach_disconnected) { include include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 03bedb62..b8e69306 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -65,6 +65,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c29:@{int} r, # For CD-ROM @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index e71744bb..8239ad1c 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -75,8 +75,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+backlight:* r, @{run}/udev/data/+drivers:* r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) @@ -104,6 +107,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, + @{sys}/bus/serial-base/drivers/port/uevent r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/** r, diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad index 4ed30ede..fa379675 100644 --- a/apparmor.d/groups/xfce/mousepad +++ b/apparmor.d/groups/xfce/mousepad @@ -16,6 +16,8 @@ profile mousepad @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + owner @{user_config_dirs}/Mousepad/ rw, owner @{user_config_dirs}/Mousepad/{,**} rw, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d8c4920f..b668553b 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -22,6 +22,9 @@ profile thunar @{exec_path} { @{bin}/thunar-volman rPx, @{open_path} rPx -> child-open, + /usr/share/ r, + /usr/share/Thunar/{,**} r, + /etc/fstab r, /etc/timezone r, diff --git a/apparmor.d/groups/xfce/xfce-about b/apparmor.d/groups/xfce/xfce-about index b66ad770..e7ce66fa 100644 --- a/apparmor.d/groups/xfce/xfce-about +++ b/apparmor.d/groups/xfce/xfce-about @@ -10,11 +10,12 @@ include profile xfce-about @{exec_path} { include include + include include @{exec_path} mr, - @{open_path} rPx -> child-open-browsers, + @{open_path} rPx -> child-open-help, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 4f1a2485..a9da9e62 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -13,6 +13,8 @@ profile xfce-clipman-settings @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, owner @{user_config_dirs}/xfce4/panel/xfce4-clipman-actions.xml rw, diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 91382985..2adeb97c 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -16,6 +16,8 @@ profile xfce-terminal @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index 85c963ea..9ca46c73 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -11,6 +11,7 @@ profile xfdesktop @{exec_path} { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 25f911cc..429aca59 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -6,7 +6,8 @@ abi , include -@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu@{int}_{32,64} +@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9][0-9]_{32,64} + @{exec_path} = @{user_share_dirs}/Steam/steam.sh profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index e4d1f82a..d011c16c 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -20,6 +20,7 @@ include @{runtime} = @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier @{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64} + @{exec_path} = @{user_share_dirs}/Steam/steamapps/common/*/** profile steam-game @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index ed9450d6..fac7818f 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -6,7 +6,8 @@ abi , include -@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64} +@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9][0-9]_{32,64} + @{exec_path} = @{steam_lib_dirs}/gameoverlayui profile steam-gameoverlayui @{exec_path} { include @@ -22,7 +23,7 @@ profile steam-gameoverlayui @{exec_path} { @{exec_path} mr, @{steam_lib_dirs}/*.so* mr, - @{steam_lib_dirs}/steam-runtime/{usr/,}lib/**.so* mr, + @{steam_lib_dirs}/steam-runtime/@{lib}/**.so* mr, /usr/share/fonts/{,**} rk, # ? diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 85db8c07..143b9a4c 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -47,6 +47,7 @@ profile wireplumber @{exec_path} { owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, owner @{user_state_dirs}/wireplumber/{,**} rw, + owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw,