diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1d501eb9..3992fb7b 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,7 +12,7 @@ @{sh_path} rix, @{bin}/nvim mix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mix, + @{bin}/vim{,.*} mrix, @{bin}/which{,.debianutils} ix, /usr/share/nvim/{,**} r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 2a2f612b..c749bf25 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -92,7 +92,7 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwk, - /tmp/ r, + /tmp/ rw, /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index d847c732..166229a0 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -11,6 +11,7 @@ /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, + /usr/share/pipewire/jack.conf r, /usr/share/sounds/{,**} r, /etc/alsa/conf.d/{,**} r, @@ -60,6 +61,8 @@ /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, + /dev/snd/controlC@{int} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 0a5abe0a..41ebab65 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -58,6 +58,7 @@ profile gnome-boxes @{exec_path} { owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index e88f34d4..5d2cafd9 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -16,6 +16,7 @@ profile scdaemon @{exec_path} { network netlink raw, signal (send) peer=gpg-agent, + signal send set=usr2 peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 3a25c0a5..68356741 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -25,7 +25,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/hyprland/{,*} r, + /usr/share/hypr{,land}/{,*} r, /usr/share/libinput/{,*} r, owner @{user_cache_dirs}/hyprland/{,**} rw, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index a9902e54..dcf5b10f 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -83,9 +83,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + /{boot,efi}/ r, + /{boot,efi}/EFI/{,**} rw, + /{boot,efi}/initramfs-*.img* rw, + /{boot,efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 48318da8..32f02f0d 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,11 +24,12 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /etc/.#locale.conf@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, - /etc/locale.conf r, + /etc/locale.conf rw, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ r, /etc/X11/xorg.conf.d/.#*.confd* rw, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index fb1e94c1..28006f47 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -62,6 +62,7 @@ profile mutt @{exec_path} { owner @{HOME}/.mutthistory rwk, owner @{HOME}/.muttrc* r, owner @{HOME}/.signature r, # Mutt signature file + owner @{HOME}/ r, # User mbox # Could be a file or dir depending on mbox_type variable @@ -91,11 +92,14 @@ profile mutt @{exec_path} { @{bin}/w3m mrix, @{bin}/lynx mrix, - owner @{HOME}/.w3m/* rw, + owner @{HOME}/.w3m/{,**} rw, owner @{user_mail_dirs}/{,**} r, owner @{user_mail_dirs}/tmp/{,**} rw, owner /{var/,}tmp/mutt* rw, + owner /tmp/w3m-@{rand6} rw, + owner /tmp/w3m-@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index d0b75aae..ef3ea4be 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -15,6 +15,7 @@ profile ouch @{exec_path} { @{exec_path} mr, owner @{HOME}/.tmp@{rand6}/{,**} rw, + owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index a3ec65c4..c14b4102 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, + owner /dev/tty@{int} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk similarity index 70% rename from apparmor.d/profiles-m-r/pinentry-gtk-2 rename to apparmor.d/profiles-m-r/pinentry-gtk index 49e9ac30..a0244956 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -7,9 +7,10 @@ abi , include -@{exec_path} = @{bin}/pinentry-gtk-2 -profile pinentry-gtk-2 @{exec_path} { +@{exec_path} = @{bin}/pinentry-gtk{,-2} +profile pinentry-gtk @{exec_path} { include + include include include include @@ -17,11 +18,13 @@ profile pinentry-gtk-2 @{exec_path} { @{exec_path} mr, - /usr/share/gtk-2.0/gtkrc r, + /usr/share/gtk-@{int}.@{int}/{,**} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - include if exists + owner /dev/tty@{int} r, + + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index b9efca35..51c625d5 100644 --- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -18,6 +18,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} { capability sys_admin, capability sys_chroot, + capability dac_override, @{exec_path} mr, @@ -27,6 +28,9 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{PROC}/@{pid}/oom_adj w, @{PROC}/@{pid}/oom_score_adj w, + # Silencer + deny /dev/pts/@{int} rw, # file_inherit + include if exists } diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray new file mode 100644 index 00000000..5a923835 --- /dev/null +++ b/apparmor.d/profiles-s-z/v2ray @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v2ray +profile v2ray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/v2ray/{,*} r, + /usr/share/v2ray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 1a0e3341..ade896ea 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -36,7 +36,7 @@ profile w3m @{exec_path} { owner @{user_config_dirs}/w3m/{,**} rw, - owner @{tmp}/@{rand6}/{,**} rw, + owner @{tmp}/w3m-@{rand6}/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray new file mode 100644 index 00000000..7e86ada2 --- /dev/null +++ b/apparmor.d/profiles-s-z/xray @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xray +profile xray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/xray/{,*} r, + /usr/share/xray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor