diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index c2e768d4..82a97d39 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -20,8 +20,10 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /usr/share/locale/locale.alias r, /var/lib/dbus/machine-id r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + /var/lib/gdm/.config/ibus/bus/ r, + /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, /dev/null rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 95a07b2e..185c67be 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -17,6 +17,7 @@ profile gnome-control-center-print-renderer @{exec_path} { @{exec_path} mr, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/icons/{,**} r, @@ -25,6 +26,7 @@ profile gnome-control-center-print-renderer @{exec_path} { /usr/share/X11/xkb/** r, owner @{user_cache_dirs}/mesa_shader_cache/index rw, + owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 831915f1..ec38eeae 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -27,7 +27,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { # Full access to user's data / r, owner @{HOME}/{,**} rw, - owner @{MOUNTS}/*/{,**} rw, + owner @{MOUNTS}/{,**} r, owner @{run}/user/@{uid}/{,**} rw, owner /tmp/{,**} rw, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 12374b62..d069ae8e 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -10,9 +10,17 @@ include profile systemd-makefs @{exec_path} { include + capability net_admin, + capability sys_resource, + @{exec_path} mr, /{usr/,}{s,}bin/mkswap rPx, + @{sys}/devices/virtual/block/zram[0-9]*/ r, + @{sys}/devices/virtual/block/zram[0-9]*/** r, + + /dev/zram[0-9]* rwk, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 4aa7d750..80edcfd4 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -15,17 +15,17 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { include include - # (##FIXME##) - capability sys_admin, - capability net_admin, - capability dac_read_search, + capability chown, capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability mknod, + capability net_admin, + capability sys_admin, + capability sys_module, capability sys_ptrace, capability sys_resource, - capability chown, - capability fsetid, - capability sys_module, - capability mknod, ptrace (read), diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 5e280427..3ca1d49e 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -16,6 +16,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { /etc/apparmor/{,**} r, /etc/apparmor.d/{,**} r, + /etc/apparmor.d/cache.d/{,**} rw, owner /var/cache/apparmor/{,**} rw, owner /var/lib/docker/tmp/docker-default[0-9]* r, diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index d89d1c5c..88ed3313 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -14,6 +14,7 @@ profile auditd @{exec_path} { capability audit_control, capability chown, capability fsetid, + capability sys_nice, capability sys_resource, network netlink raw, @@ -24,11 +25,13 @@ profile auditd @{exec_path} { /var/log/audit/{,**} rw, + @{run}/auditd.pid rw, @{run}/systemd/userdb/ r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/sessionid r, + owner @{PROC}/@{pid}/oom_score_adj rw, include if exists } diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index b7d83b10..1c3f3849 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -23,6 +23,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /etc/login.defs r, /etc/firejail/firejail.users r, + /etc/firejail/firecfg.config r, /usr/local/bin/ r, /usr/local/bin/* rw, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 8db380c6..d4089889 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -38,6 +38,7 @@ profile fusermount @{exec_path} { umount @{MOUNTS}/*/*/, umount /tmp/.mount_*/, umount @{run}/user/@{uid}/doc/, + umount @{run}/user/@{uid}/gvfs/, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 8bbf6a07..f7c9c868 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -30,10 +30,11 @@ profile syncthing @{exec_path} { /etc/mime.types r, /usr/share/mime/globs2 r, - owner @{user_config_dirs}/syncthing/{,**} rwk, + owner @{HOME}/ r, owner @{HOME}/@{XDG_DATA_HOME}/syncthing/{,**} rwk, + owner @{user_config_dirs}/syncthing/{,**} rwk, - @{HOME}/ r, + /home/ r, @{user_sync_dirs}/{,**} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,