diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 9de4359e..7895db4e 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -104,6 +104,7 @@ owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, @{run}/mount/utab r, diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index f52c3e14..f21b968d 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -31,6 +31,8 @@ profile akonadi_control @{exec_path} { owner @{user_share_dirs}/akonadi/{,**} rwl, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 41ce6774..6d50db9d 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -57,14 +57,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{rand6}.tmp r, owner @{tmp}/@{rand8}.txt w, owner @{tmp}/* w, # file downloads (to anywhere) - owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla*/ rw, owner @{tmp}/mozilla*/* rwk, - owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, - owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk, # Silencer deny @{lib_dirs}/** w, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index d23d94bb..b4202ed0 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -10,8 +10,8 @@ include profile firefox-kmozillahelper @{exec_path} { include include - include include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index dc4ded9c..1c5f8cd3 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -16,6 +16,12 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + signal (receive) set=(term hup kill) peer=dbus-session, signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, @@ -50,6 +56,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, + owner @{tmp}/xauth_@{rand6} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index f001c27b..e63d51ea 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -66,6 +66,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/oom_score_adj r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index a1a04dfa..3636138c 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -57,9 +57,10 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/fd/ r, @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, /dev/tty rw, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 6278d2ac..522d4ad5 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -18,9 +18,9 @@ profile xdm-xsession @{exec_path} { @{shells_path} rix, - @{bin}/checkproc rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/checkproc rix, @{bin}/dirname rix, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, @@ -28,8 +28,10 @@ profile xdm-xsession @{exec_path} { @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, + @{bin}/realpath rix @{bin}/sed rix, @{bin}/ssh-agent rix, + @{bin}/tput rix @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @@ -56,6 +58,7 @@ profile xdm-xsession @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, + /usr/share/terminfo/{,**} r, @{etc_ro}/X11/xdm/scripts/{,*} r, @{etc_ro}/X11/xim r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 7754ee09..f8a9700f 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -46,6 +46,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/shm/#@{int} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 0bb878ab..5fc35613 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -84,12 +84,14 @@ profile pulseaudio @{exec_path} { owner @{desktop_config_dirs}/pulse/{,**} rw, owner @{desktop_config_dirs}/pulse/cookie k, + owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, owner @{run}/user/@{uid}/ rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/** rwk, owner @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index ae8f90ed..1e257cfc 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -20,6 +20,7 @@ profile gpg-connect-agent @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index db870bd8..227f4e06 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -40,6 +40,7 @@ profile DiscoverNotifier @{exec_path} { /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, + /var/cache/swcatalog/xml/{,**} r, owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/** rw, @@ -58,6 +59,8 @@ profile DiscoverNotifier @{exec_path} { owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw, owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/tty r, profile gpg { diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index c1a63931..d1e48f84 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -25,6 +25,8 @@ profile gmenudbusmenuproxy @{exec_path} { owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + include if exists } diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index daf880cf..471812c7 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/kalendarac profile kalendarac @{exec_path} { include - include + include include include include @@ -36,6 +36,8 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 960747c2..09ebb0d7 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -36,6 +36,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{HOME}/ r, + owner @{user_cache_dirs}/ddcutil/* r, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, @@ -63,7 +64,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, @{sys}/devices/platform/**/i2c-@{int}/**/name r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e0cc7f5b..422fc103 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -59,7 +59,7 @@ profile kded @{exec_path} { @{bin}/xsettingsd rPx, @{lib}/drkonqi rPx, - #aa:exec utempter + @{lib}/{,@{multiarch}/}utempter/utempter rPx, #aa:exec kconf_update /usr/share/color-schemes/{,**} r, @@ -123,8 +123,7 @@ profile kded @{exec_path} { owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/networkmanagement.notifyrc r, - owner @{user_config_dirs}/plasma-nm r, - owner @{user_config_dirs}/plasma-welcomerc r, + owner @{user_config_dirs}/plasma* r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, @@ -151,6 +150,8 @@ profile kded @{exec_path} { owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, + @{sys}/class/leds/ r, + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 1995838c..f71f9734 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -19,6 +19,7 @@ profile kglobalacceld @{exec_path} { /etc/machine-id r, /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/ksycoca{5,6}_* rw, @@ -29,6 +30,8 @@ profile kglobalacceld @{exec_path} { owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, + @{PROC}/sys/kernel/random/boot_id r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 7462d6c5..5b6c7184 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -13,6 +13,7 @@ profile kiod @{exec_path} { include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 05473114..3151156a 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -26,7 +26,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/@{shells} rUx, @{browsers_path} rPx, - #aa:exec utempter + @{lib}/libheif/ r, + @{lib}/libheif/** mr, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, /usr/share/color-schemes/{,**} r, /usr/share/kf6/{,**} r, @@ -47,12 +49,15 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kbookmarkrc r, + owner @{user_config_dirs}/konsole.notifyrc r, owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/session/** rwlk, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, @@ -62,6 +67,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 1884414a..bd1666a0 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/plasmashellrc r, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index b7e1858d..858bc4b9 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -52,6 +52,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, @@ -62,6 +63,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/iceauth_@{rand6}-c w, + owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c, + owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw, + owner @{tmp}/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 5005dde3..2b2545b3 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -43,6 +43,8 @@ profile kwalletd @{exec_path} { owner @{tmp}/kwalletd5.* rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index c987a475..432c49ac 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -10,6 +10,7 @@ include profile plasma_waitforname @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 9a21b9df..fe79dccd 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -178,6 +178,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @@ -187,9 +188,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{sys}/devices/platform/** r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/thermal/**/{name,type} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{PROC}/ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f249d911..dba650f2 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -49,6 +49,8 @@ profile sddm-greeter @{exec_path} { owner @{SDDM_HOME}/#@{int} mrw, owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, + owner @{HOME}/.face.icon r, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e575f3bb..149df769 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -22,6 +22,7 @@ profile startplasma @{exec_path} { @{bin}/env rix, @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, + @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index a4474a64..57e32b96 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -20,6 +20,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index ea2842a7..8a625b54 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/amixer profile amixer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 6dcd5cbb..819cd234 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -24,7 +24,7 @@ profile dmesg @{exec_path} { /usr/share/terminfo/** r, - owner @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/pid_max r, /dev/kmsg r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index ba37f7bc..2c0eb2fa 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -43,6 +43,7 @@ profile git @{exec_path} flags=(attach_disconnected) { # These are needed for "git submodule update" @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/alts rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/date rix, @@ -78,6 +79,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/vim.* rCx -> editor, /usr/share/git{,-core}/{,**} r, + /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, /etc/gitconfig r, @@ -139,14 +141,15 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, - /etc/ssh/ssh_config.d/{,*} r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, + @{etc_ro}/ssh/ssh_config r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, - owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, + owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 00600b72..57de7cab 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -21,6 +21,7 @@ profile issue-generator @{exec_path} { @{bin}/sort rix, /etc/issue.d/{,**} r, + /etc/sysconfig/issue-generator r, @{run}/issue r, @{run}/issue.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 947350b8..1763bd96 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -10,40 +10,23 @@ include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include - include include - include - include - include - include + include + include include include - include - include - include @{exec_path} mr, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, + /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c23a8d95..110c562e 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -39,7 +39,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}=".local/bin" +@{XDG_BIN_DIR}="bin" ".bin" ".local/bin" @{XDG_LIB_DIR}=".local/lib" # Full path of the user configuration directories diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index f2e7c256..1b4206da 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -35,6 +35,7 @@ @{hex8}=@{hex4}@{hex4} @{hex9}=@{hex8}@{h} @{hex10}=@{hex8}@{hex2} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} @{hex16}=@{hex8}@{hex8} @{hex32}=@{hex16}@{hex16} @{hex38}=@{hex32}@{hex6}