diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 27fd724e..0ded777b 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -4,15 +4,6 @@ abi , - ##include - ##include - - # TODO: adjust when support finer-grained netlink rules - #network netlink raw, - - #/etc/udev/udev.conf r, - #/etc/wildmidi/wildmidi.cfg r, - /etc/openni2/OpenNI.ini r, /tmp/ r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 5b41316a..f48523b5 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,11 +14,14 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, ptrace (read), + network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixProcessID @@ -41,7 +44,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/pactl rPx, + /{usr/,}bin/pactl rix, /{usr/,}bin/pipewire-media-session rPx, /usr/share/pipewire/pipewire*.conf r, @@ -51,16 +54,23 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/pipewire.conf r, /etc/pipewire/pipewire.conf.d/{,*} r, + /var/lib/gdm/.config/pulse/cookie rk, + / r, + /.flatpak-info r, owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, + @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c81:[0-9]* r, # For video4linux + + @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/**/device:*/**/path r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - /dev/video[0-9]* rw, + /dev/media[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 5b2ce5ce..e316cfa4 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /usr/share/*/*.desktop r, - /var/lib/flatpak/{app/**/,}export/share/applications/{,**/} r, - /var/lib/flatpak/{app/**/,}export/share/applications/**.desktop r, - /var/lib/flatpak/{app/**/,}export/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/{app/**/,}export/share/applications/mimeinfo.cache w, + /var/lib/flatpak/{app/**/,}export{s,}/share/applications/{,**/} r, + /var/lib/flatpak/{app/**/,}export{s,}/share/applications/**.desktop r, + /var/lib/flatpak/{app/**/,}export{s,}/share/applications/.mimeinfo.cache.* rw, + /var/lib/flatpak/{app/**/,}export{s,}/share/applications/mimeinfo.cache w, /var/lib/snapd/desktop/applications/{,**/} r, /var/lib/snapd/desktop/applications/**.desktop r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 017ddc7d..635057ae 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -82,6 +82,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm{3,}/custom.conf r, + @{run}/motd.d/{,*} r, @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index b456a2e8..adb221c2 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -14,10 +14,13 @@ profile gnome-extension-manager @{exec_path} { include include include + include include include include + include include + include network inet dgram, network inet6 dgram, @@ -29,9 +32,16 @@ profile gnome-extension-manager @{exec_path} { /{usr/,}bin/gjs-console rix, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/org.gnome.Shell.Extensions r, + /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, + # Silencer + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index fbabab2b..f14bf5c0 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -11,15 +11,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include include - include include include include include include + include include include include @@ -29,6 +30,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -511,13 +513,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/gnome-applications.menu r, /var/lib/gdm{3,}/.cache/ w, + /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, + /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw, + /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + /var/lib/gdm{3,}/.cache/libgweather/ r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - /var/lib/gdm{3,}/.cache/libgweather/ r, - /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, @@ -527,6 +531,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.local/share/applications/{,**} r, /var/lib/gdm{3,}/.local/share/gnome-shell/ rw, + /var/lib/gdm{3,}/.local/share/icc/{,*} rw, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/AccountsService/icons/* r, @@ -553,6 +559,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{user_share_dirs}/icc/{,*} rw, owner @{user_share_dirs}/sounds/__custom/index.theme r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, @@ -638,6 +645,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, /dev/input/event[0-9]* rw, + /dev/media[0-9]* rw, /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 34e3000d..9c063b15 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -67,8 +67,9 @@ profile gnome-software @{exec_path} { /var/lib/PackageKit/prepared-update r, owner @{HOME}/.var/app/{,**/} r, - owner @{user_cache_dirs}/gnome-software/{,**} rw, owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw, + owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/repo/{,**} rw, /var/tmp/flatpak-cache-*/ rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 806d0e33..79a44ded 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -39,6 +39,8 @@ profile gnome-terminal-server @{exec_path} { /etc/shells r, + owner @{user_config_dirs}/*xdg-terminals.list* rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e664d219..76eeade0 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -16,6 +16,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include + include dbus send bus=system path=/org/freedesktop/hostname[0-9] interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6484e034..46d0bccd 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -6,7 +6,8 @@ abi , include -@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon" +@{exec_path} = /{usr/,}bin/mullvad-daemon +@{exec_path} += "/opt/Mullvad VPN/resources/mullvad-daemon" profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index b462f246..6b733d3e 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -113,6 +113,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/users/@{uid} rw, @{sys}/class/drm/ r, + @{sys}/class/power_supply/ r, @{sys}/devices/** r, @{sys}/devices/**/brightness rw, @{sys}/devices/virtual/tty/tty[0-9]*/active r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 3c9284d4..4703141f 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -18,11 +18,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, + capability kill, capability mknod, capability net_admin, capability sys_admin, capability sys_chroot, - capability kill, + capability sys_ptrace, network inet dgram, network inet6 dgram, @@ -42,6 +43,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/, pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/, + ptrace (read) peer=docker-*, ptrace (read) peer=unconfined, signal (send) set=kill peer=docker-*, @@ -62,7 +64,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { # TODO: should be in a sub profile started with pivot_root, not supported yet. /{,**} rw, deny /boot/{,**} rw, - deny /dev/{,**} rw, deny /media/{,**} rw, deny /mnt/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 52b178ec..41900e11 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -122,7 +122,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/qemu-img rUx, # TODO: Integration with virt-aa-helper /{usr/,}lib/libvirt/virt-aa-helper rPx, - /etc/libvirt/hooks/** rmix, + /etc/libvirt/hooks/** rPUx, /etc/xen/scripts/** rmix, /var/lib/libvirt/virtd* rix, @@ -175,6 +175,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, + @{run}/udev/data/c90:[0-9]* r, @{run}/udev/data/n[0-9]* r, @{sys}/bus/[a-z]*/devices/ r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 3b35e019..cc394a4e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -7,12 +7,13 @@ abi , include @{exec_path} = /{usr/,}bin/nvtop -profile nvtop @{exec_path} { +profile nvtop @{exec_path} flags=(attach_disconnected) { include include include include include + include capability sys_ptrace, @@ -22,7 +23,23 @@ profile nvtop @{exec_path} { /usr/share/terminfo/x/xterm-256color r, + @{run}/systemd/inhibit/*.ref r, + @{run}/udev/data/+drm:* r, + @{run}/udev/data/c226:[0-9]* r, + @{run}/udev/data/c236:[0-9]* r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/devices/pci[0-9]*/**/enable r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_cur_freq_mhz r, + + @{PROC}/ r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/fdinfo/[0-9]* r, @{PROC}/@{pids}/stat r, @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index a8f2e3ec..6e337414 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -7,15 +7,20 @@ abi , include @{exec_path} = /{usr/,}bin/os-prober -profile os-prober @{exec_path} { +profile os-prober @{exec_path} flags=(attach_disconnected) { include + include - @{exec_path} mr, + capability sys_admin, + @{exec_path} mrix, + + /{usr/,}{s,}bin/blkid rPx, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{e,f,}grep rix, /{usr/,}bin/cut rix, /{usr/,}bin/head rix, + /{usr/,}bin/kmod rPx, /{usr/,}bin/logger rix, /{usr/,}bin/lsblk rPx, /{usr/,}bin/mktemp rix, @@ -30,5 +35,8 @@ profile os-prober @{exec_path} { owner /tmp/os-prober.*/{,**} rw, + @{sys}/block/ r, + @{sys}/devices/pci[0-9]*/**/block/*/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index c1f552af..4a2c600a 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -20,6 +20,8 @@ profile pactl @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + /var/lib/gdm/.config/pulse/cookie rk, + owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/pulse/ rw, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 3e4fd84f..34bf3a41 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -21,6 +21,7 @@ profile snap-update-ns @{exec_path} { @{run}/snapd/ns/{,**} rw, @{sys}/fs/cgroup/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 7a97089a..2cbc6882 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -110,6 +110,7 @@ profile snapd @{exec_path} { /tmp/syscheck-squashfs-[0-9]* rw, /tmp/read-file[0-9]*/{,**} rw, + / r, /home/ r, @{HOME}/ r, @{HOME}/snap/{,**} rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 0708a206..ebd71ff4 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -88,7 +88,7 @@ profile steam @{exec_path} { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh rix, - @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{amd64,i386}/usr/bin/* rix, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**.so* mr, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix, @@ -98,6 +98,7 @@ profile steam @{exec_path} { /usr/share/terminfo/x/xterm-256color r, /usr/share/themes/{,**} r, /usr/share/X11/{,**} r, + /usr/share/zenity/* r, /etc/lsb-release r, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index cc89bfd4..852b6dc1 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -63,6 +63,7 @@ profile sudo @{exec_path} { /etc/sudoers.d/{,*} r, /var/log/sudo.log wk, + /var/lib/sudo/lectured/ r, owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 312a45e4..aa9ac900 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -13,6 +13,8 @@ profile which @{exec_path} flags=(complain) { @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{local/,}{s,}bin/ r, /{usr/,}lib/go-*/bin/ r, /{usr/,}{local/,}games/ r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 0d7ccd5b..fc4082e1 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -12,6 +12,7 @@ profile wireplumber @{exec_path} { include include include + include network bluetooth raw, network bluetooth seqpacket, @@ -34,22 +35,22 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, @{run}/udev/data/+sound:card[0-9]* r, # For sound - @{run}/udev/data/c81:[0-9]* r, # For video4linux @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c50[0-9]:[0-9]* r, + @{run}/udev/data/c81:[0-9]* r, # For video4linux @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/sound/ r, - @{sys}/class/video4linux/ r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, @{sys}/devices/system/cpu/possible r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r, + @{sys}/devices/**/device:*/**/path r, + /dev/media[0-9]* rw, /dev/snd/ r, - /dev/video[0-9]* rw, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 17a84e8b..6e4770f5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -46,7 +46,7 @@ cups-browsed complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain dkms attach_disconnected,complain -docker attach_disconnected,complain +dockerd attach_disconnected,complain downloadhelper complain e2fsck complain etckeeper complain