diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0bae4e0d..666387d0 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -186,6 +186,7 @@ @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @@ -201,7 +202,6 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 75ec9517..3c60c1cf 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -41,6 +41,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, + / r, owner @{att}/ r, owner @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index fb7bef34..10853ea8 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, + owner @{user_cache_dirs}/glycin/{,**} rw, + @{run}/mount/utab r, @{sys}/fs/cgroup/user.slice/cpu.max r, @@ -51,7 +53,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal (receive) set=(kill) peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-image-rs rix, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 40c5199b..af7436f3 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -11,6 +11,7 @@ profile cctk @{exec_path} { include include + capability dac_read_search, capability mknod, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 6e1a2d07..63634d78 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -84,6 +84,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, owner @{tmp}/@{u64} rw, owner @{tmp}/*.tmp/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 3d33e8a3..83af575d 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -25,7 +25,6 @@ profile scrcpy @{exec_path} { @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, - /usr/share/icons/{,**} r, /etc/machine-id r,