diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index aa638961..04fc326b 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -9,8 +9,9 @@ include @{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon @{exec_path} += @{libexec}/accounts-daemon -profile accounts-daemon @{exec_path} { +profile accounts-daemon @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index bf3c14b5..34134f6b 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/at-spi-bus-launcher profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index fcfa90ce..1aaf33ea 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,11 +11,18 @@ include @{exec_path} += @{libexec}/colord profile colord @{exec_path} flags=(attach_disconnected) { include + include include include network netlink raw, + dbus send + bus=system + path=/org/freedesktop/ColorManager/devices/xrandr_* + interface=org.freedesktop.DBus.Properties + member=GetAll, + @{exec_path} mr, /{usr/,}lib/colord/colord-sane rPx, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 596f5725..2eea607f 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -11,6 +11,7 @@ include profile pipewire @{exec_path} { include include + include include ptrace (read), diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index c21a8314..180ee969 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -11,6 +11,7 @@ include profile pipewire-media-session @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index c6da6e1f..e264a200 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkitd profile polkitd @{exec_path} { include + include include capability setuid, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 11873361..7b32158f 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cfb29dc8..e9ad2fdd 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index a74d3c75..6b177afb 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 27fb6a9e..99622476 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 75206db5..a036ee7e 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 6a60f3c1..40661e7c 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 0d51bc9a..a3cade38 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -9,8 +9,10 @@ include @{exec_path} = /{usr/,}{s,}bin/gdm{3,} profile gdm @{exec_path} flags=(attach_disconnected) { include - include + include + include include + include capability chown, capability fsetid, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d93b104f..24b8902b 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -10,6 +10,8 @@ include profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { include include + include + include include capability audit_write, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 1051a928..a0fbc6c7 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 361f0186..65513850 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 23077485..c9931355 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 08da7996..7dcc1894 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,6 +11,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -68,9 +70,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, /etc/fstab r, - /etc/machine-id r, /etc/xdg/menus/gnome-applications.menu r, - /var/lib/dbus/machine-id r, /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index fa65e3ce..684080be 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/goa-daemon profile goa-daemon @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a38feb1a..c83666a2 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 0ff646db..ccec1b6a 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-disk-utility-notify profile gsd-disk-utility-notify @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index df0fe0e5..216a23cb 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index d6fbdbab..310336b2 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,6 +10,7 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index b4a6bd31..c674d1e5 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 0e0e011c..de6c3a28 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 487e827b..eccc4180 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index cca7f7a3..a44ecbbe 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 0f7fb325..7cada0c7 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 6f4d858e..2ac7d10b 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 4884d7fe..dd45b726 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include - include # TODO: FIXME: See if we keep them like this. + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index c91b5c08..0f32b016 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f6102481..e68a51fa 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}{,s}bin/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include + include + include include include include diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 6919dd66..507df21b 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -16,6 +16,7 @@ include profile child-systemctl flags=(attach_disconnected) { include include + include include capability net_admin, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index e9df1167..378c89c1 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/networkctl profile networkctl @{exec_path} flags=(complain) { include + include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index d25f1381..6b951974 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include + include include # To set a hostname diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a306815a..5f392dce 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -10,8 +10,9 @@ include profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { include include - include include + include + include include capability chown, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 0c61f1eb..a4d0a7a0 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-user-runtime-dir profile systemd-user-runtime-dir @{exec_path} { include + include include include diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index ba55b853..c8e0be36 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -10,6 +10,7 @@ include profile packagekitd @{exec_path} { include include + include include capability sys_nice, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index c6e3f327..caf36abd 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 4efe443e..ddf480c8 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/kerneloops profile kerneloops @{exec_path} { include + include include capability syslog, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index b754183e..4cb39fce 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -10,9 +10,10 @@ include profile pkexec @{exec_path} flags=(complain) { include include - include - include include + include + include + include signal (send) set=(term, kill) peer=polkit-agent-helper, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index ebc0366e..72873536 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/pkttyagent profile pkttyagent @{exec_path} { include + include capability sys_nice, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index c2cebc60..ee85a3b0 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/power-profiles-daemon profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 4b4c1689..ef92160f 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -11,6 +11,7 @@ include @{exec_path} = @{libexec}/rtkit-daemon profile rtkit-daemon @{exec_path} { include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 57a24445..2f142a08 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/switcheroo-control profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b881f383..b46cd19b 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/udisks2/udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include + include include include