diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 17923017..29355ad8 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -11,7 +11,7 @@ include @{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium @{exec_path} = @{CHROMIUM_INSTALLDIR}/chromium -profile chromium-chromium @{exec_path} { +profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 268a90d9..3cf4fae5 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -19,6 +19,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, kill), signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(term, kill) peer=at-spi-bus-launcher, network netlink raw, diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index da186493..d61406ce 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -18,7 +18,8 @@ profile at-spi-bus-launcher @{exec_path} { deny capability sys_nice, signal (receive) set=(term hup) peer=gdm*, - signal (send) set=(term, kill) peer=dbus-daemon, + signal (receive) set=(term hup) peer=dbus-daemon, + signal (send) set=(term, kill) peer=dbus-daemon, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b873a9fe..705fc677 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -79,6 +79,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/gvfs-metadata/home r, + owner @{user_share_dirs}/gvfs-metadata/home-*.log r, + owner @{user_share_dirs}/gvfs-metadata/root r, + owner @{user_share_dirs}/gvfs-metadata/root-*.log r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index ba168190..46fd0668 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -30,6 +30,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-system-monitor/{,**} r, /usr/share/pixmaps/{,**} r, + owner @{user_share_dirs}/gvfs-metadata/home r, + owner @{user_share_dirs}/gvfs-metadata/home-*.log r, + owner @{user_share_dirs}/gvfs-metadata/root r, + owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 00e52aba..b9309905 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -7,8 +7,6 @@ abi , include -# DENIED operation="mount" info="failed mntpnt match" error=-13 profile="gvfsd-fuse" name="/home/alex/.cache/gvfs/" comm="gvfsd-fuse" fstype="fuse.gvfsd-fuse" srcname="gvfsd-fuse" flags="rw, nosuid, nodev" - @{exec_path} = /{usr/,}lib/gvfs/gvfsd-fuse @{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 4ef87198..14270d44 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -60,11 +60,13 @@ profile pacman @{exec_path} { /{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, /{usr/,}bin/install-info rPx, + /{usr/,}bin/journalctl rPx, /{usr/,}bin/killall rPx, /{usr/,}bin/pacdiff rPx, /{usr/,}bin/pacman-key rPx, /{usr/,}bin/sysctl rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemd-* rPx, /{usr/,}bin/update-ca-trust rPx, /{usr/,}bin/update-desktop-database rPx, /{usr/,}bin/update-mime-database rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 3b6d5fb4..2280c274 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -11,6 +11,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { include capability dac_read_search, + capability mknod, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 68992cff..c7784a56 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -38,5 +38,5 @@ profile systemd-backlight @{exec_path} flags=(complain) { /var/lib/systemd/backlight/*backlight* rw, + include if exists } - diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 4c9b57df..ea82e314 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-coredump -profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) { +profile systemd-coredump @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index c04234db..870dfe35 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -20,5 +20,8 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + # Inherit silencer + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index 8105efa7..45e3947e 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -9,21 +9,33 @@ include @{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd profile apparmor.systemd @{exec_path} { include + include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}{s,}bin/aa-status rPx, - /{usr/,}sbin/apparmor_parser rPx, - + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/xargs rix, + /{usr/,}{s,}bin/aa-status rPx, + /{usr/,}{s,}bin/apparmor_parser rPx, + /{usr/,}lib/apparmor/rc.apparmor.functions r, + /etc/apparmor.d/ r, + @{sys}/fs/cgroup/systemd/ r, @{sys}/kernel/security/apparmor/{,**} r, @{sys}/module/apparmor/ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/mounts r, @{PROC}/filesystems r, @{PROC}/mounts r, + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 62907013..281ea841 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/dkms -profile dkms @{exec_path} { +profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -96,6 +96,9 @@ profile dkms @{exec_path} { owner @{PROC}/@{pid}/fd/ r, @{PROC}/sys/kernel/osrelease r, + # Inherit silencer + deny /apparmor/.null rw, + profile kmod { include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index cee4ad8d..fe43ce90 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -32,6 +32,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /{usr/,}bin/gpgsm rCx -> gpg, /etc/pki/fwupd/** r, + /etc/pki/fwupd-metadata/** r, /etc/fwupd/** r, /usr/share/fwupd/** r, @@ -73,7 +74,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/BootNext-* rw, - @{sys}/firmware/efi/efivars/fwupd-ux-capsule-* rw, + @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, @{sys}/power/mem_sleep r, @@ -90,6 +91,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include include + capability dac_read_search, + /{usr/,}bin/gpg mr, /{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgsm mr, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index c5c72b45..60af2f8f 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -17,8 +17,6 @@ profile htop @{exec_path} { capability sys_nice, capability sys_ptrace, - # Needed? (for system state) - audit deny capability net_admin, signal (send), ptrace (read), @@ -38,45 +36,46 @@ profile htop @{exec_path} { owner @{PROC}/@{pid}/smaps_rollup r, @{PROC}/ r, + @{PROC}/diskstats r, @{PROC}/loadavg r, - @{PROC}/uptime r, - @{PROC}/tty/drivers r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, - @{PROC}/diskstats r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/autogroup rw, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, @{PROC}/@{pids}/wchan r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/ r, @{PROC}/@{pids}/task/@{tid}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/comm r, @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/io r, @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/comm r, - @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/task/@{tid}/wchan r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 4ff62495..b1b61585 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/kernel-install -profile kernel-install @{exec_path} flags=(complain) { +profile kernel-install @{exec_path} { include include include @@ -60,9 +60,6 @@ profile kernel-install @{exec_path} flags=(complain) { /{usr/,}bin/kmod mr, - #@{PROC}/cmdline r, - #@{PROC}/modules r, - } include if exists diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index aca9bc61..1b14475a 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -37,58 +37,70 @@ profile man @{exec_path} { /{usr/,}bin/tr rCx -> man_filter, /{usr/,}bin/xz rCx -> man_filter, - profile man_groff { - include - include + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, - signal peer=man, + /usr/**/man/** r, + /var/**/man/** r, + /var/cache/man/index.db rk, - /{usr/,}bin/eqn rm, - /{usr/,}bin/grap rm, - /{usr/,}bin/pic rm, - /{usr/,}bin/preconv rm, - /{usr/,}bin/refer rm, - /{usr/,}bin/tbl rm, - /{usr/,}bin/troff rm, - /{usr/,}bin/vgrind rm, + /etc/man_db.conf r, - /{usr/,}lib/groff/site-tmac/** r, - /usr/share/groff/** r, - - /etc/groff/** r, - /etc/papersize r, - - /tmp/groff* rw, - owner /tmp/* rw, - } - - profile man_filter { - include - include - - signal peer=man, - - /{usr/,}bin/bzip2 rm, - /{usr/,}bin/gzip rm, - /{usr/,}bin/col rm, - /{usr/,}bin/compress rm, - /{usr/,}bin/iconv rm, - /{usr/,}bin/lzip.lzip rm, - /{usr/,}bin/tr rm, - /{usr/,}bin/xz rm, - - # Manual pages can be more or less anywhere, especially with "man -l", and - # there's no harm in allowing wide read access here since the worst it can - # do is feed data to the invoking man process. - /usr/** r, - owner @{HOME}/@{XDG_DATA_HOME}/** r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/** r, - owner @{user_cache_dirs}/** r, - owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r, - - /var/cache/man/** w, - } + /dev/tty r, include if exists } + +profile man_groff { + include + include + + signal peer=man, + + /{usr/,}bin/eqn rm, + /{usr/,}bin/grap rm, + /{usr/,}bin/pic rm, + /{usr/,}bin/preconv rm, + /{usr/,}bin/refer rm, + /{usr/,}bin/tbl rm, + /{usr/,}bin/troff rm, + /{usr/,}bin/vgrind rm, + + /{usr/,}lib/groff/site-tmac/** r, + /usr/share/groff/** r, + + /etc/groff/** r, + /etc/papersize r, + + /tmp/groff* rw, + owner /tmp/* rw, +} + +profile man_filter { + include + include + + signal peer=man, + + /{usr/,}bin/bzip2 rm, + /{usr/,}bin/gzip rm, + /{usr/,}bin/col rm, + /{usr/,}bin/compress rm, + /{usr/,}bin/iconv rm, + /{usr/,}bin/lzip.lzip rm, + /{usr/,}bin/tr rm, + /{usr/,}bin/xz rm, + + # Manual pages can be more or less anywhere, especially with "man -l", and + # there's no harm in allowing wide read access here since the worst it can + # do is feed data to the invoking man process. + /usr/** r, + owner @{HOME}/@{XDG_DATA_HOME}/** r, + owner @{HOME}/@{XDG_PROJECTS_DIR}/** r, + owner @{user_cache_dirs}/** r, + owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, + owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r, + + /var/cache/man/** w, +} diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 350ee4e1..bdf15ad8 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -49,7 +49,7 @@ profile pass @{exec_path} { # Pass extensions /{usr/,}bin/oathtool rix, # pass-otp - /{usr/,}bin/python3.[0-9]* rPx -> pass-extension-python, # pass-import, pass-audit + /{usr/,}bin/python3.[0-9]* rPx -> pass-import, # pass-import /{usr/,}bin/qrencode rPUx, # pass-otp /{usr/,}bin/tomb rPUx, # pass-tomb diff --git a/apparmor.d/profiles-m-r/pipewire b/apparmor.d/profiles-m-r/pipewire index 56ada79d..31a96761 100644 --- a/apparmor.d/profiles-m-r/pipewire +++ b/apparmor.d/profiles-m-r/pipewire @@ -12,9 +12,6 @@ profile pipewire @{exec_path} { include include - ptrace (read) peer=pipewire-media-session, - ptrace (read) peer=pipewire-pulse, - # Needed for all sound/music apps. ptrace (read), diff --git a/apparmor.d/profiles-m-r/pipewire-pulse b/apparmor.d/profiles-m-r/pipewire-pulse index 533a75a9..e68833db 100644 --- a/apparmor.d/profiles-m-r/pipewire-pulse +++ b/apparmor.d/profiles-m-r/pipewire-pulse @@ -12,9 +12,6 @@ profile pipewire-pulse @{exec_path} { include include - ptrace (read) peer=pipewire, - ptrace (read) peer=pipewire-media-session, - # Needed for all sound/music apps. ptrace (read), diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index b3e6f05f..0e1bee5f 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -1,20 +1,18 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{SYNC_DIR} = @{HOME}/Sync/ -@{SYNC_DIR} += @{MOUNTS}/*/syncthing/ - @{exec_path} = /{usr/,}bin/syncthing profile syncthing @{exec_path} { include + include include include - include network inet dgram, network inet6 dgram, @@ -27,21 +25,20 @@ profile syncthing @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/ip rix, - owner @{HOME}/ r, - owner @{user_config_dirs}/syncthing/ rw, - owner @{user_config_dirs}/syncthing/** rwk, - - @{SYNC_DIR}/{,**} rw, + /usr/share/mime/{,*} r, /etc/mime.types r, - @{PROC}/sys/net/core/somaxconn r, + owner @{user_config_dirs}/syncthing/{,**} rwk, + owner @{HOME}/@{XDG_DATA_HOME}/syncthing/{,**} rwk, + + @{HOME}/ r, + @{user_sync_dirs}/{,**} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - # Silecne the noise - deny /etc/ssl/certs/java/ r, - + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/@{pids}/net/route r, profile open { include @@ -55,15 +52,14 @@ profile syncthing @{exec_path} { /{usr/,}bin/basename rix, owner @{HOME}/ r, - owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/firefox rPx, + /{usr/,}lib/firefox/firefox rPx, # file_inherit owner @{HOME}/.xsession-errors w, - } include if exists diff --git a/apparmor.d/profiles-s-z/update-desktop-database b/apparmor.d/profiles-s-z/update-desktop-database index e6eeff77..7a55882d 100644 --- a/apparmor.d/profiles-s-z/update-desktop-database +++ b/apparmor.d/profiles-s-z/update-desktop-database @@ -11,6 +11,9 @@ profile update-desktop-database @{exec_path} { include include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, /usr/share/applications/{,**/} r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 2501f7c8..a72ecb3a 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,23 +11,23 @@ include @{exec_path} += /usr/share/virt-manager/virt-manager profile virt-manager @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include - include - include - include - include include - include + include include + include + include + include + include + include + include + include + include + include + include include include - include - include - include + include + include network inet stream, network inet6 stream, @@ -42,8 +42,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/getfacl rix, /{usr/,}bin/setfacl rix, - /{usr/,}{s,}bin/libvirtd rPx, - /{usr/,}lib/spice-client-glib-usb-acl-helper rPx, + /{usr/,}{s,}bin/libvirtd rPx, + /{usr/,}lib/spice-client-glib-usb-acl-helper rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gtksourceview-4/{,**} r, @@ -55,6 +55,9 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /usr/share/virtio/{,*} r, /var/lib/usbutils/*.ids r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /etc/fstab r, /etc/libnl/classid r, /etc/libva.conf r, @@ -81,25 +84,24 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, owner @{MOUNTS}/*/@{XDG_VM_DIR}/{,**} rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/net/route r, + @{run}/mount/utab r, + @{run}/udev/data/c51[0-9]:[0-9]* r, + owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/virtual/drm/ttm/uevent r, - @{run}/mount/utab r, - - owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/net/route r, + include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + /dev/video[0-9]* rw, + # Silence the noise deny /usr/share/virt-manager/{,**} w, diff --git a/apparmor.d/profiles-s-z/xdg-dbus-proxy b/apparmor.d/profiles-s-z/xdg-dbus-proxy index c5e80ef9..ed6bc979 100644 --- a/apparmor.d/profiles-s-z/xdg-dbus-proxy +++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy @@ -12,6 +12,11 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) { @{exec_path} mr, + owner @{user_share_dirs}/gvfs-metadata/home r, + owner @{user_share_dirs}/gvfs-metadata/home-*.log r, + owner @{user_share_dirs}/gvfs-metadata/root r, + owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw, diff --git a/apparmor.d/profiles-s-z/xdg-mime b/apparmor.d/profiles-s-z/xdg-mime index 5aab67b3..4176ef8a 100644 --- a/apparmor.d/profiles-s-z/xdg-mime +++ b/apparmor.d/profiles-s-z/xdg-mime @@ -46,6 +46,11 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/mimeapps.list{,.new} rw, + owner @{user_share_dirs}/gvfs-metadata/home r, + owner @{user_share_dirs}/gvfs-metadata/home-*.log r, + owner @{user_share_dirs}/gvfs-metadata/root r, + owner @{user_share_dirs}/gvfs-metadata/root-*.log r, + owner @{HOME}/.Xauthority r, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index 646a48fa..5a58657e 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -24,6 +24,7 @@ @{XDG_PROJECTS_DIR}="Projects" @{XDG_BOOKS_DIR}="Books" @{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_SYNC_DIR}="Sync" @{XDG_VM_DIR}=".vm" # User personal keyrings @@ -48,6 +49,9 @@ @{user_pkg_dirs}="/tmp/pkg/" @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ +# Other user directories +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} + # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories include