diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9f2cb62a..52afd575 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -105,6 +105,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { # For changelogs @{bin}/sensible-pager rCx -> pager, + #aa:only whonix + @{lib}/uwt/uwtwrapper rix, + /usr/share/xml/iso-codes/{,**} r, /usr/share/language-selector/data/pkg_depends r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index a8b34048..e36b4b21 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -52,6 +52,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/ r, /etc/gdm{3,}/custom.conf{,.@{rand6}} rw, /etc/gdm{3,}/daemon.conf{,.@{rand6}} rw, + /etc/lightdm/lightdm.conf r, /etc/machine-id r, /etc/shadow r, /etc/shells r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 1ce739b8..e5302894 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -56,9 +56,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /var/lib/xkb/server-@{int}.xkm rw, /var/lib/xkb/compiled/server-@{int}.xkm rw, - /usr/share/libinput*/ r, - /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r, - /usr/share/libinput*/libinput/ r, + /usr/share/libinput*/{,**} r, /etc/X11/{,**} r, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index a0176328..e58d5877 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -25,7 +25,8 @@ profile epiphany-search-provider @{exec_path} { @{exec_path} mr, - @{lib}/webkitgtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, owner @{user_share_dirs}/epiphany/{,**} rwk, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 3107e08d..5deab3e7 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -54,7 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, @{bin}/usermod rPx, - @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-print-renderer rPx, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 057451cc..b73bae27 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -14,6 +14,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -32,7 +33,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 472635bc..b7fec6e7 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -28,6 +28,7 @@ profile kgx @{exec_path} { @{bin}/htop rPx, @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{bin}/vim rUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 64fb694f..2f3d0ea8 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -5,7 +5,7 @@ abi , include - + @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file profile baloo @{exec_path} { diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 07d23bf7..80fbaa96 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kwin_wayland profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include + include include include include @@ -27,12 +28,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{exec_path} mr, - @{bin}/kcminit rPx, - @{bin}/plasmashell r, - @{bin}/Xwayland rPx, - @{lib}/kwin_killer_helper rix, - @{bin}/konsole rPx, - #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -76,11 +71,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, - owner @{user_cache_dirs}/kwin/ w, - owner @{user_cache_dirs}/kwin/qmlcache/ w, - owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rwl, - owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int}, - owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw, + owner @{user_cache_dirs}/kwin/ rw, + owner @{user_cache_dirs}/kwin/** rwl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 33934e90..b02f3f5b 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -44,7 +44,7 @@ profile sddm-xsession @{exec_path} { @{bin}/numlockx rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, - /etc/X11/Xsession rPx, + /etc/X11/Xsession rPx, @{bin}/ssh-agent rPx, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index c2e45293..e6876821 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -40,10 +40,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(label=ksmserver-logout-greeter), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - peer=(name=org.freedesktop.systemd1), - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} diff --git a/apparmor.d/groups/whonix/open-link-confirmation b/apparmor.d/groups/whonix/open-link-confirmation index 0376590f..8b6606b3 100644 --- a/apparmor.d/groups/whonix/open-link-confirmation +++ b/apparmor.d/groups/whonix/open-link-confirmation @@ -12,5 +12,14 @@ profile open-link-confirmation @{exec_path} { @{exec_path} mr, + @{sh_path} rix, + @{bin}/readlink rix, + @{bin}/whichbrowser rix, + @{bin}/torbrowser rPx, + @{lib}/msgcollector/generic_gui_message rPx, + @{lib}/msgcollector/striphtml rPx, + + /etc/open_link_confirm.d/{,**} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook index 3b4ee838..14e34586 100644 --- a/apparmor.d/profiles-a-f/abook +++ b/apparmor.d/profiles-a-f/abook @@ -16,7 +16,7 @@ profile abook @{exec_path} { @{exec_path} mr, # Used for printing - @{bin}/{,ba,da}sh rix, + @{sh_path} rix, @{bin}/lp{,r} rPUx, # Abook has built in support to launch mutt @{bin}/mutt rPUx, diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 5ead7e3e..ba559644 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -24,7 +24,7 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/ps rPx, - @{bin}/fgconsole rCx, + @{bin}/fgconsole rCx -> fgconsole, /usr/share/acpi-support/** r, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 1ec58a57..97903a49 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -40,8 +40,8 @@ profile atril @{exec_path} { @{bin}/atril-previewer rPx, - @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, /usr/share/atril/{,**} r, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 6c80cfa8..fa21ed79 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -36,7 +36,6 @@ profile evince @{exec_path} { @{exec_path} rix, @{sh_path} rix, - @{bin}/gio-launch-desktop rPx, @{open_path} rPx -> child-open, /usr/share/djvu/{,**} r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 35ef8a57..c29fe621 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -35,6 +35,7 @@ profile flatpak-system-helper @{exec_path} { @{lib}/revokefs-fuse rix, /etc/flatpak/{,**} r, + /etc/machine-id r, /usr/share/mime/mime.cache r, /usr/share/flatpak/triggers/ r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 093e743b..2082dcfa 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -27,8 +27,8 @@ profile font-manager @{exec_path} { @{exec_path} r, - @{lib}/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, - @{lib}/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/font-manager/ rw, diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index 32b28c32..a2798cbc 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -25,8 +25,8 @@ profile jami-gnome @{exec_path} { @{exec_path} mr, - @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, /usr/share/ring/{,**} r, /usr/share/sounds/jami-gnome/{,**} r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 744851ca..f6f5025a 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -49,9 +49,10 @@ profile system-config-printer @{exec_path} flags=(complain) { owner /tmp/* rw, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index d39f94ee..f5c393f6 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -23,7 +23,11 @@ profile system-config-printer-applet @{exec_path} { /usr/share/system-config-printer/{,**} r, + owner @{HOME}/.xsession-errors w, + owner @{PROC}/@{pid}/mounts r, + /dev/tty rw, + include if exists }