diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app index ff37cf71..d8cb1739 100644 --- a/apparmor.d/abstractions/bwrap-app +++ b/apparmor.d/abstractions/bwrap-app @@ -16,7 +16,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 12445c2d..0719d3cd 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{run}/user/@{uid}/wayland-@{int}.lock rk, + owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, owner /dev/shm/sway* rw, owner /dev/shm/dunst-@{rand6} rw, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index 7ccb4dc6..48c98fbb 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -19,7 +19,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9ab3e8ab..b5e4a0e0 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -158,6 +158,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.selected_editor r, + include if exists } profile pager { @@ -179,6 +180,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/*.changelog r, + include if exists } profile dpkg-source flags=(complain) { @@ -206,6 +208,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { audit deny owner @{HOME}/.*/ rw, audit deny owner @{HOME}/.*/** mrwkl, + include if exists } profile systemctl { @@ -234,6 +237,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /dev/kmsg w, + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 0691c3ff..9be59a4d 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -30,7 +30,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.PolicyKit1.AuthenticationAgent peer=(name=:*), # all members - dbus (send) bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} peer=(name=org.freedesktop.DBus, label=dbus-daemon), diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index ea58402d..5b6fd1c1 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -34,10 +34,10 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw, + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index ca4c2ee3..bdaeaad5 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -14,7 +14,7 @@ profile epiphany-search-provider @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 4c04fddd..9c920401 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index cb836f40..272fae37 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 9f1c8e62..68c33a28 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/gnome-calendar profile gnome-calendar @{exec_path} { include + include include include + include + include include include include @@ -28,6 +31,10 @@ profile gnome-calendar @{exec_path} { network netlink raw, dbus bind bus=session name=org.gnome.Calendar, + dbus (send, receive) bus=session path=/org/gnome/Calendar + interface=org.freedesktop.{Actions,Application} + peer=(name="{:*,org.freedesktop.DBus}"), + dbus receive bus=session path=/org/gnome/Calendar/SearchProvider interface=org.gnome.Shell.SearchProvider2 peer=(name=:*, label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 19d80ad0..813a5b68 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -107,17 +107,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, + owner @{user_games_dirs}/**.png r, owner @{user_share_dirs}/backgrounds/{,**} rw, - owner @{user_share_dirs}/icc/{,edid-*} r, - owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/gnome-remote-desktop/ w, owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, + owner @{user_share_dirs}/icc/{,edid-*} r, + owner @{user_share_dirs}/sounds/__custom/{,*} rw, + + owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/wayland-@{int} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, @{run}/systemd/sessions/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 0b68adce..db66d749 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,14 +9,16 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include + include include include include include + include include include include - include + include include include include @@ -33,15 +35,20 @@ profile gnome-control-center-goa-helper @{exec_path} { signal (send) set=(kill) peer=bwrap, + dbus bind bus=session name=org.gnome.Settings.GoaHelper, + + dbus send bus=session path=/org/gnome/OnlineAccounts + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=goa-daemon), + @{exec_path} mr, @{bin}/bwrap rPUx, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/themes/{,**} r, - /usr/share/X11/xkb/{,**} r, + /usr/share/publicsuffix/public_suffix_list.dafsa r, /var/lib/flatpak/exports/share/icons/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 2190f5d2..6de134ed 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -12,7 +12,7 @@ profile gnome-disks @{exec_path} { include include include - include + include include dbus bind bus=session name=org.gnome.DiskUtility, @@ -22,9 +22,6 @@ profile gnome-disks @{exec_path} { @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/X11/xkb/{,**} r, - owner @{user_cache_dirs}/gnome-disks/{,**} rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 8bde3fe3..f2d6bfec 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -11,7 +11,7 @@ profile gnome-initial-setup @{exec_path} { include include include - include + include include network netlink raw, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index c701c6e3..f7dae57f 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -11,7 +11,7 @@ profile gnome-music @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index fb472573..6f289feb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -324,7 +324,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, - owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner /dev/shm/.org.chromium.Chromium.* rw, @@ -333,7 +332,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, owner /tmp/[0-9A-Z]*.shell-extension.zip rw, - owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, + owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a2475f02..ff53d658 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -11,7 +11,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include capability sys_ptrace, @@ -31,15 +31,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, - # freedesktop.org-strict - /usr/share/pixmaps/{,**} r, - /usr/share/*ubuntu/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /etc/machine-id r, - - /var/lib/snapd/desktop/icons/ r, - owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 43ee2df2..b54e2959 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -11,8 +11,7 @@ profile gnome-tweaks @{exec_path} { include include include - include - include + include include @{exec_path} mr, @@ -23,7 +22,6 @@ profile gnome-tweaks @{exec_path} { @{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-tweaks/{,**} r, /etc/xdg/autostart/{,**} r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 6737183a..01049b2b 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -20,8 +20,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -92,6 +93,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/{,ba,da}sh rix, @{bin}/bwrap rPUx, + @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, @{bin}/tracker3 rPUx, @@ -99,7 +101,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open, - /usr/share/*ubuntu/applications/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/libdrm/*.ids r, /usr/share/nautilus/{,**} r, @@ -112,7 +113,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /var/cache/fontconfig/ rw, - /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data / r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index fcba0883..2585f937 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -12,7 +12,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index ca94397f..817c54f8 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -17,7 +17,7 @@ profile seahorse @{exec_path} { include include include - include + include include include include @@ -33,15 +33,9 @@ profile seahorse @{exec_path} { @{bin}/gpg{,2} rPx, @{bin}/gpgsm rPx, - # freedesktop.org-strict - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/*ubuntu/applications/ r, - /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /var/lib/snapd/desktop/icons/ r, - owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 1b91d08d..a3b9ceed 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -20,7 +20,6 @@ profile kwin_wayland_wrapper @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xauth_@{rand6} w, - owner @{run}/user/@{uid}/wayland-*.lock rk, owner /tmp/.X1-lock rw, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 538d71ce..290a5603 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -9,18 +9,41 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan.script @{exec_path} flags=(attach_disconnected) { include + include + include @{exec_path} mr, - @{lib}/netplan/generate rix, + @{lib}/netplan/generate rix, + @{bin}/udevadm rCx -> udevadm, /usr/share/netplan/{,**} r, /etc/netplan/{,*} r, + @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf w, + @{run}/NetworkManager/system-connections/ r, + @{run}/NetworkManager/system-connections/netplan-*.nmconnection w, @{run}/systemd/system/ r, + @{run}/systemd/system/netplan-* rw, @{run}/systemd/system/systemd-networkd.service.wants/ r, + @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + @{run}/udev/rules.d/ r, + profile udevadm { + include + include + + @{bin}/udevadm mr, + + /etc/udev/udev.conf r, + + @{run}/udev/rules.d/90-netplan.rules rw, + @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index c59851b6..8b1decab 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -10,33 +10,37 @@ include profile software-properties-gtk @{exec_path} { include include + include include include include include include - include - include + include include include include - include dbus bind bus=session name=com.ubuntu.SoftwareProperties, - dbus send bus=system path=/ - interface=com.ubuntu.SoftwareProperties - peer=(name=:*), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties + interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}} + peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*), + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=ubuntu-advantage-desktop-daemon), + + dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=ubuntu-advantage-desktop-daemon), + @{exec_path} mr, @{bin}/ r, @@ -51,8 +55,6 @@ profile software-properties-gtk @{exec_path} { @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, - /usr/share/icons/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, @@ -64,8 +66,6 @@ profile software-properties-gtk @{exec_path} { /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, - /etc/gtk-3.0/settings.ini r, - /etc/machine-id r, /etc/update-manager/release-upgrades r, /var/crash/*software-properties-gtk.@{uid}.crash rw, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index e42d987a..fba77e55 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -10,20 +10,20 @@ include profile update-manager @{exec_path} flags=(attach_disconnected) { include include + include include include + include include include include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, @@ -55,7 +55,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /usr/share/X11/{,**} r, /etc/gtk-3.0/settings.ini r, - /etc/machine-id r, /etc/update-manager/{,**} r, /boot/ r, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index c03a4f21..aeebe6d0 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -36,6 +36,8 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { include include +# userns, + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 5f8cfaf2..b1777123 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -10,7 +10,11 @@ include profile cups-notifier-dbus @{exec_path} { include + signal (receive) set=(term) peer=cupsd, + @{exec_path} mr, + /tmp/cups-dbus-notifier-lockfile rwk, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index ee0d8bf7..10e9bd7e 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -41,6 +41,8 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { network rose dgram, network x25 seqpacket, + signal (send) set=(term) peer=cups-notifier-dbus, + @{exec_path} mr, @{bin}/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index db291556..3027f745 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -14,7 +14,7 @@ profile evince @{exec_path} { include include include - include + include include include include @@ -50,7 +50,6 @@ profile evince @{exec_path} { /usr/share/ghostscript/{,**} r, /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - /usr/share/themes/{,**} r, owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index bc227ac0..8e03473a 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -29,6 +29,7 @@ profile file-roller @{exec_path} { # Archivers @{bin}/7z rix, + @{bin}/ar rix, @{bin}/bzip2 rix, @{bin}/cpio rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index e0818920..e5fca2be 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -58,8 +58,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, @{run}/systemd/seats/seat@{int} r, - @{run}/user/@{uid}/wayland-@{int}.lock k, - owner @{PROC}/@{pid}/fd/ r, owner /tmp/.X[0-9]*-lock rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index cd1bb1ba..3bdb65da 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -156,7 +156,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) owner /tmp/dumps/ rw, owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw, - owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, + owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, owner /tmp/miles_image_* mrw, owner /tmp/runtime-info.txt.* rwk, owner /tmp/sh-thd.* rw,