diff --git a/apparmor.d/abstractions/wutmp.d/complete b/apparmor.d/abstractions/wutmp.d/complete deleted file mode 100644 index 1c68908c..00000000 --- a/apparmor.d/abstractions/wutmp.d/complete +++ /dev/null @@ -1,8 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - deny /var/log/wtmp wk, - /var/log/wtmp rwk, - /var/log/btmp rwk, diff --git a/apparmor.d/groups/desktop/accounts-daemon b/apparmor.d/groups/desktop/accounts-daemon index 073ddccb..b61a53e3 100644 --- a/apparmor.d/groups/desktop/accounts-daemon +++ b/apparmor.d/groups/desktop/accounts-daemon @@ -25,20 +25,20 @@ profile accounts-daemon @{exec_path} { /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r, - /etc/gdm/custom.conf r, + /etc/gdm/ r, + /etc/gdm/custom.conf rw, + /etc/gdm/custom.conf.* rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, - /etc/gdm/custom.conf.* rw, - owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, - owner @{PROC}/@{pid}/cmdline r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 82582578..be558201 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -28,10 +28,12 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=gdm, signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-daemon, + signal (send) set=hup peer=dbus-run-session, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, + signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, signal (send) set=term peer=gdm-*-session, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index ec3a97f3..41d16ac1 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -49,43 +50,43 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx, /{usr/,}lib/gsd-* rPx, - /usr/share/applications/org.gnome.Shell.desktop r, + /usr/share/applications//{,**} r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, + /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glvnd/egl_vendor.d/ r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, /usr/share/icons/{,**} r, + /usr/share/dconf/profile/gdm r, + /usr/share/mime/mime.cache r, /usr/share/X11/xkb/{,**} r, + /etc/xdg/autostart/{,*.desktop} r, + + /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.cache/mesa_shader_cache/index rw, /var/lib/gdm/.config/gnome-session/ rw, /var/lib/gdm/.config/gnome-session/saved-session/ rw, + /var/lib/gdm/.local/share/applications/{,**} r, + /var/lib/flatpak/exports/share/applications/{,**} r, + + owner @{user_cache_dirs}/mesa_shader_cache/index rw, + owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, owner @{user_config_dirs}/gtk-3.0/bookmarks rw, owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw, - - owner @{user_cache_dirs}/mesa_shader_cache/index rw, - - # Users xdg + owner @{user_config_dirs}/mimeapps.list r, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{user_share_dirs}/applications/ r, - # Autostart - /etc/xdg/autostart/{,*.desktop} r, - /usr/share/gdm/greeter/autostart/{,*.desktop} r, - owner @{user_config_dirs}/autostart/{,*.desktop} r, - - # Dconf - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, - /var/lib/gdm/.config/dconf/user r, - # Temp files /tmp/.ICE-unix/[0-9]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index f238617d..ac9993b4 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}lib/tracker-extract-3 profile tracker-extract @{exec_path} { include + include + include include include include @@ -31,18 +33,15 @@ profile tracker-extract @{exec_path} { /etc/libva.conf r, - owner /tmp/tracker-extract-3-files.*/{,*} rw, - owner @{user_cache_dirs}/tracker3/files/{,**} rwk, - owner @{user_share_dirs}/gvfs-metadata/** r, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/*/{,**} r, owner /tmp/*/{,**} r, - owner @{PROC}/@{pid}/fd/ r, - - include + owner /tmp/tracker-extract-3-files.*/{,*} rw, + owner @{user_cache_dirs}/tracker3/files/{,**} rwk, + owner @{user_share_dirs}/gvfs-metadata/** r, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, @@ -50,6 +49,10 @@ profile tracker-extract @{exec_path} { @{run}/udev/data/c236:* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, /dev/dri/renderD128 rw, /dev/media[0-9]* r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 40d1442e..0bbe7f2a 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,8 +9,9 @@ include @{exec_path} = /{usr/,}lib/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include - include + include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index ab978096..3a0e7d74 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -17,6 +17,7 @@ profile gvfsd-metadata @{exec_path} { @{exec_path} mr, owner @{user_share_dirs}/gvfs-metadata/{,*} rw, + owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 055b4f1f..bc2f7078 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-binfmt -profile systemd-binfmt @{exec_path} { +profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { include capability net_admin, @@ -28,5 +28,7 @@ profile systemd-binfmt @{exec_path} { @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/kernel/osrelease r, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 3329a865..f97990a0 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -11,6 +11,7 @@ profile systemd-modules-load @{exec_path} { include include + capability net_admin, capability sys_module, @{exec_path} mr, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 6b8f606e..5d3ac6e1 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -9,17 +9,20 @@ include @{exec_path} = /{usr/,}bin/libvirt-dbus profile libvirt-dbus @{exec_path} { include + include include @{exec_path} mr, - /{usr/,}{s,}bin/libvirtd rPx, + /{usr/,}{s,}bin/libvirtd rPx, + /{usr/,}{s,}bin/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 18f4800c..a17264d6 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -29,7 +29,7 @@ profile check-bios-nx @{exec_path} { owner @{PROC}/@{pid}/fd/2 w, - profile kmod { + profile kmod { include /{usr/,}bin/kmod mr, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index 8131456e..40c3efe7 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -18,6 +18,7 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { /usr/share/icons/**/.icon-theme.cache rw, /usr/share/icons/**/icon-theme.cache rw, + /var/lib/flatpak/exports/share/icons/hicolor/ r, /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw, deny /apparmor/.null rw, diff --git a/apparmor.d/profiles-s-z/xdg-dbus-proxy b/apparmor.d/profiles-s-z/xdg-dbus-proxy index fa116759..72bd2b5f 100644 --- a/apparmor.d/profiles-s-z/xdg-dbus-proxy +++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy @@ -15,7 +15,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, - owner @{run}/user/@{uid}/.dbus-proxy/{session,a11y}-bus-proxy-[0-9A-Z]* rw, + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,