diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 09d3cb55..46c7cd73 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -33,7 +33,6 @@ profile pipewire @{exec_path} { /usr/share/pipewire/pipewire.conf r, - /etc/machine-id r, /etc/pipewire/client.conf r, /etc/pipewire/pipewire-pulse.conf.d/{,*} r, /etc/pipewire/pipewire.conf r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index eca96bdf..4e49fe8a 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -11,6 +11,7 @@ include profile pipewire-media-session @{exec_path} { include include + include include include include @@ -44,11 +45,11 @@ profile pipewire-media-session @{exec_path} { owner @{HOME}/.local/state/ rw, owner @{HOME}/.local/state/pipewire/{,**} rw, + owner @{user_config_dirs}/pipewire/ rw, owner @{user_config_dirs}/pipewire/** rw, owner @{user_config_dirs}/pulse/ rw, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, @{run}/udev/data/+sound:card[0-9]* r, # For sound diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index ade99e79..3a045364 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-document-portal profile xdg-document-portal @{exec_path} { include + include ptrace (read) peer=xdg-desktop-portal, @@ -23,7 +24,6 @@ profile xdg-document-portal @{exec_path} { owner @{user_share_dirs}/flatpak/db/documents r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/doc/ rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 1805b763..dbcca15d 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} { include include include + include include include include @@ -53,7 +54,6 @@ profile gdm-wayland-session @{exec_path} { /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, - /etc/machine-id r, /etc/shells r, /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, @@ -61,8 +61,7 @@ profile gdm-wayland-session @{exec_path} { /usr/share/gdm/gdm.schemas r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/bus rw, - @{run}/gdm/custom.conf r, + @{run}/gdm/custom.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index 8735c2fe..648e83f5 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -24,6 +24,8 @@ profile gnome-characters-backgroudservice @{exec_path} { /etc/gtk-3.0/settings.ini r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 07a34d14..3db55197 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -34,6 +34,9 @@ profile gnome-extension-ding @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus bind bus=session + name=com.rastersoft.ding, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 9054d9f4..20ca500e 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,6 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include + include include include include @@ -34,8 +35,6 @@ profile gnome-terminal-server @{exec_path} { /etc/shells r, - owner @{run}/user/@{uid}/at-spi/bus rw, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index c612512d..93c4e728 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,6 +10,7 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -21,6 +22,20 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, + dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*} + interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions}, + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={IsSupported,List} + peer=(name=:*), + + dbus bind bus=session + name=org.gnome.Nautilus, + + dbus bind bus=session + name=org.freedesktop.FileManager1, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index f3fa89e5..99799a9c 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/tracker-extract-3 profile tracker-extract @{exec_path} { include + include include include include @@ -51,8 +52,7 @@ profile tracker-extract @{exec_path} { owner /tmp/tracker-extract-3-files.*/{,*} rw, - owner @{run}/user/@{uid}/bus rw, - @{run}/blkid/blkid.tab r, + @{run}/blkid/blkid.tab r, @{run}/udev/data/c235:* r, @{run}/udev/data/c236:* r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 025963f0..5195c203 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2017-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,8 +11,9 @@ include profile gpg @{exec_path} { include include - include include + include + include capability dac_read_search, @@ -20,15 +21,15 @@ profile gpg @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/gpgconf rPx, - /{usr/,}bin/gpg-connect-agent rPx, - /{usr/,}bin/gpg-agent rPx, /{usr/,}bin/dirmngr rPx, + /{usr/,}bin/gpg-agent rPx, + /{usr/,}bin/gpg-connect-agent rPx, + /{usr/,}bin/gpgconf rPx, /{usr/,}bin/gpgsm rPx, /{usr/,}lib/gnupg/scdaemon rPx, - # GPG config files - owner @{HOME}/ r, + /etc/inputrc r, + owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -41,54 +42,9 @@ profile gpg @{exec_path} { owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, - # For flatpak - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - - # For ToR Browser - owner @{user_share_dirs}/torbrowser/gnupg_homedir/ r, - owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**, - - # For spamassassin - owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**, - - # For lintian - owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r, - owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r, - owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/trustdb.gpg rw, - owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/pubring.kbx rw, - owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*.gpg rw, - owner /tmp/*.gpg~ w, - owner /tmp/*.gpg.tmp rw, - owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, - owner @{run}/user/@{uid}/gnupg/d.*/ rw, - - # APT upstream/user keyrings - /usr/share/keyrings/*.{gpg,asc} r, - /etc/apt/keyrings/*.{gpg,asc} r, - - # APT repositories - /var/lib/apt/lists/*_InRelease r, - - # Verify files - owner @{HOME}/** r, - owner @{MOUNTS}/** r, - - owner @{PROC}/@{pid}/task/@{tid}/stat rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/fd/ r, - - /etc/inputrc r, - - # file_inherit - /tmp/#[0-9]*[0-9] rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 701adf2b..18f55c82 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd profile gvfsd @{exec_path} { include + include @{exec_path} mr, @@ -20,7 +21,6 @@ profile gvfsd @{exec_path} { /usr/share/gvfs/{,**} r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gvfs/ rw, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 698fd2f3..40fcb4c8 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/networkctl -profile networkctl @{exec_path} flags=(complain) { +profile networkctl @{exec_path} flags=(attach_disconnected,complain) { include include @@ -39,9 +39,6 @@ profile networkctl @{exec_path} flags=(complain) { /var/lib/dbus/machine-id r, /etc/machine-id r, - @{run}/systemd/netif/links/[0-9]* r, - @{run}/systemd/netif/state r, - # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, @@ -50,12 +47,16 @@ profile networkctl @{exec_path} flags=(complain) { /{run,var}/log/journal/[0-9a-f]*/system.journal* r, /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, + @{run}/systemd/netif/links/[0-9]* r, + @{run}/systemd/netif/state r, + @{run}/systemd/notify w, + @{sys}/devices/**/net/**/uevent r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, @{PROC}/filesystems r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 8cc0dc4f..4a3f945f 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -17,11 +17,17 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,ReleaseName}, + member={RequestName,ReleaseName,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), dbus receive bus=system path=/org/freedesktop/hostname[0-9] interface=org.freedesktop.DBus.Properties - member={Get,GetAll}, + member={Get,GetAll,SetHostname}, dbus bind bus=system name=org.freedesktop.hostname[0-9], diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 38d22fea..4b964694 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,40 +8,68 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-networkd -profile systemd-networkd @{exec_path} flags=(complain) { +profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { include + include include capability net_admin, capability net_raw, capability net_bind_service, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + network packet dgram, + network packet raw, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.hostname1 + member=SetHostname + peer=(name=org.freedesktop.hostname1), + + dbus receive bus=system path=/org/freedesktop/network[0-9] + interface=org.freedesktop.DBus.Properties + member=Get, + + dbus bind bus=system + name=org.freedesktop.network1, + @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /etc/systemd/networkd.conf r, /etc/systemd/network/ r, /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r, + /etc/networkd-dispatcher/carrier.d/{,*} r, + + @{run}/systemd/network/ r, + @{run}/systemd/network/*.network r, + owner @{run}/systemd/netif/.#state rw, + owner @{run}/systemd/netif/.#state* rw, + owner @{run}/systemd/netif/leases/.#* rw, + owner @{run}/systemd/netif/leases/[0-9]* rw, owner @{run}/systemd/netif/links/.#* rw, owner @{run}/systemd/netif/links/[0-9]* rw, - owner @{run}/systemd/netif/leases/[0-9]* rw, - owner @{run}/systemd/netif/leases/.#* rw, - owner @{run}/systemd/netif/.#state* rw, - owner @{run}/systemd/netif/.#state rw, owner @{run}/systemd/netif/state rw, - # To be able to configure network interfaces - @{PROC}/sys/net/ipv{4,6}/** rw, - - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, - - @{sys}/devices/**/net/** r, - @{run}/udev/data/n[0-9]* r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + @{sys}/devices/**/net/** r, + @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + + @{PROC}/sys/net/ipv{4,6}/** rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 4f1f4c6c..7dc88b71 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -11,6 +11,10 @@ profile systemd-networkd-wait-online @{exec_path} flags=(complain) { include include + capability net_admin, + + network netlink raw, + @{exec_path} mr, @{run}/systemd/netif/links/[0-9]* r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 4cb03377..97c3a1f4 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -17,9 +17,15 @@ profile apport-gtk @{exec_path} { include include include + include capability sys_ptrace, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /{usr/,}{s,}bin/killall5 rix, @@ -50,21 +56,22 @@ profile apport-gtk @{exec_path} { /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, - /etc/apport/blacklist.d/apport r, - /etc/apport/blacklist.d/README.blacklist r, - /etc/apport/crashdb.conf r, + /etc/apport/{,**} r, /etc/bash_completion.d/apport_completion r, /etc/cron.daily/apport r, /etc/default/apport r, /etc/init.d/apport r, /etc/logrotate.d/apport r, /etc/xdg/autostart/*.desktop r, + /etc/gtk-3.0/settings.ini r, - /var/crash/{,*.@{uid}.crash} r, + /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, + @{run}/snapd.socket rw, owner @{run}/user/@{uid}/wayland-[0-9] rw, /tmp/[a-z0-9]* rw, @@ -83,8 +90,9 @@ profile apport-gtk @{exec_path} { profile gdb { include - include + include include + include /{usr/,}bin/gdb mr, @@ -92,6 +100,9 @@ profile apport-gtk @{exec_path} { /{usr/,}{s,}bin/* r, /usr/share/gdb/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/gnome-shell/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/gdb/{,**} r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 69d34c76..26838b92 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -14,7 +14,9 @@ profile software-properties-gtk @{exec_path} { include include include + include include + include dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager} interface=org.freedesktop.DBus.Introspectable @@ -51,10 +53,13 @@ profile software-properties-gtk @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/apport/blacklist.d/{,*} r, + /etc/default/apport r, /etc/gtk-3.0/settings.ini r, /etc/machine-id r, /etc/update-manager/release-upgrades r, + /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/snapd/desktop/icons/ r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @@ -68,6 +73,9 @@ profile software-properties-gtk @{exec_path} { @{PROC}/@{pids}/mountinfo r, @{PROC}/asound/cards r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 8134925c..4a3f57be 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -103,7 +103,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /{usr/,}{s,}bin/dmidecode rPx, /{usr/,}{s,}bin/dnsmasq rPx, /{usr/,}{s,}bin/virtiofsd rux, # TODO: WIP - /{usr/,}{s,}bin/virtlogd rPX, + /{usr/,}{s,}bin/virtlogd rPx, /{usr/,}bin/lvm rUx, /{usr/,}bin/mdevctl rPx, /{usr/,}bin/swtpm rPx, @@ -155,6 +155,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+dmi:id r, @{run}/udev/data/+drm:* r, + @{run}/udev/data/+hid:* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci* r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 7b2694f3..de6c971e 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -119,11 +119,13 @@ profile run-parts @{exec_path} { include /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{e,}grep rix, /{usr/,}bin/cat rix, /{usr/,}bin/cut rix, /{usr/,}bin/find rix, - /{usr/,}bin/grep rix, + /{usr/,}bin/head rix, /{usr/,}bin/id rix, + /{usr/,}bin/sort rix, /{usr/,}bin/tr rix, /{usr/,}bin/uname rix, @@ -133,13 +135,17 @@ profile run-parts @{exec_path} { /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, / r, + /etc/default/motd-news r, /etc/lsb-release r, /etc/update-motd.d/[0-9]*-[a-z]* r, + /var/cache/motd-news r, /var/lib/update-notifier/updates-available r, @{run}/motd.d/{,*} r, + @{PROC}/@{pids}/mounts r, + } profile kernel { diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index cfa8d371..f16c2042 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -69,15 +69,15 @@ profile snapd @{exec_path} { /{usr/,}bin/unsquashfs rix, /{usr/,}bin/update-desktop-database rPx, + /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* mr, + /{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, + /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ? /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/** mr, /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so rix, - /{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix, - /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* rPx -> fc-cache, - /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ? /usr/share/bash-completion/completions/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, @@ -133,7 +133,6 @@ profile snapd @{exec_path} { @{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/profiles r, - owner @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/stat r, @{PROC}/cgroups r, @@ -141,6 +140,7 @@ profile snapd @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, + owner @{PROC}/@{pids}/mountinfo r, /dev/loop-control rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 13e39571..524c3338 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -32,7 +32,7 @@ profile steam @{exec_path} { network inet6 stream, network netlink raw, - ptrace (read) peer=steam-*, + ptrace (read), signal (send) peer=steam-game, signal (read), diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 9a7f939c..65b78b49 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -91,6 +91,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{steamruntime}/pressure-vessel/lib{,exec}/** mrix, @{steamruntime}/run rix, + @{user_share_dirs}/Steam/bin/ r, + @{user_share_dirs}/Steam/bin/* mr, @{user_share_dirs}/Steam/legacycompat/ r, @{user_share_dirs}/Steam/legacycompat/** mr, @{user_share_dirs}/Steam/linux{32,64}/ r, @@ -139,6 +141,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/ r, owner @{user_share_dirs}/Steam/* r, owner @{user_share_dirs}/Steam/*log* rw, + owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw, owner @{user_share_dirs}/Steam/steamapps/ r, owner @{user_share_dirs}/Steam/steamapps/common/ r, owner @{user_share_dirs}/Steam/steamapps/common/*/ r, diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index bf89402d..05d0e865 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -22,9 +22,9 @@ import ( // Command line options var ( - dbus bool - help bool - path string + dbus bool + help bool + path string ) // LogFile is the default path to the file to query