From af1eda51bdc2c0cc9283d61c914d8e9b5430f8ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 20 Jul 2023 21:07:27 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/apt-methods-gpgv | 5 +- apparmor.d/groups/apt/apt-methods-http | 1 + apparmor.d/groups/apt/apt-methods-store | 3 +- apparmor.d/groups/apt/apt-overlay | 5 +- apparmor.d/groups/browsers/firefox | 11 ++- apparmor.d/groups/browsers/firefox-glxtest | 2 + .../groups/browsers/firefox-kmozillahelper | 2 + apparmor.d/groups/children/child-open | 2 +- apparmor.d/groups/cron/cron | 2 + apparmor.d/groups/freedesktop/dconf-service | 9 +- apparmor.d/groups/freedesktop/xrdb | 3 +- apparmor.d/groups/freedesktop/xsetroot | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 2 + apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 7 +- apparmor.d/groups/gnome/gsd-rfkill | 2 + apparmor.d/groups/gnome/mutter-x11-frames | 1 + apparmor.d/groups/gpg/gpgconf | 10 +- apparmor.d/groups/ssh/ssh-agent | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 14 ++- apparmor.d/groups/systemd/systemd-backlight | 3 +- apparmor.d/groups/systemd/systemd-tmpfiles | 2 + .../groups/ubuntu/check-new-release-gtk | 3 + apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/engrampa | 98 +++++++------------ apparmor.d/profiles-g-l/gsettings | 7 +- apparmor.d/profiles-g-l/keepassxc | 1 + 27 files changed, 107 insertions(+), 94 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index c77f7e6d..cd58b70f 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,9 +20,10 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, signal (receive) peer=apt-get, + signal (receive) peer=apt, signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, signal (receive) peer=synaptic, @{exec_path} mr, @@ -60,7 +61,7 @@ profile apt-methods-gpgv @{exec_path} { /etc/apt/keyrings/ r, /etc/apt/keyrings/*.{gpg,asc} r, /etc/apt/trusted.gpg r, - /etc/apt/trusted.gpg.d/{,*.gpg} r, + /etc/apt/trusted.gpg.d/{,*.{gpg,asc}} r, /etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg.d/{,*} r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 62035fc8..a24c02ca 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -26,6 +26,7 @@ profile apt-methods-http @{exec_path} { signal (receive) peer=apt-get, signal (receive) peer=apt, signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, signal (receive) peer=synaptic, signal (receive) peer=ubuntu-advantage, signal (receive) peer=unattended-upgrade, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index e7260fec..00c47c93 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -19,9 +19,10 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, signal (receive) peer=apt-get, + signal (receive) peer=apt, signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 3f0c1c1a..57b9910e 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -12,8 +12,9 @@ profile apt-overlay @{exec_path} { include @{exec_path} mr, - @{bin}/apt-get rPx, - @{bin}/ruby* mrix, + + @{bin}/apt-get rPx, + @{bin}/ruby* mrix, @{bin}/apt-overlay r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 962211bc..15274eab 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -38,17 +38,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) { capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 capability sys_ptrace, - ptrace peer=@{profile_name}, - - signal (send) set=(term, kill) peer=keepassxc-proxy, - signal (send) set=(term, kill) peer=firefox-*, - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + ptrace peer=@{profile_name}, + + signal (send) set=(term, kill) peer=keepassxc-proxy, + signal (send) set=(term, kill) peer=firefox-*, + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} @@ -199,6 +199,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{firefox_config_dirs}/ rw, owner @{firefox_config_dirs}/{extensions,systemextensionsdev}/ rw, + owner @{firefox_config_dirs}/extensions/\{*\}/ r, owner @{firefox_config_dirs}/firefox/ rw, owner @{firefox_config_dirs}/firefox/*/ rw, owner @{firefox_config_dirs}/firefox/*/** rwk, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 6833b6d1..56ba181b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -26,6 +26,8 @@ profile firefox-glxtest @{exec_path} { owner /tmp/firefox/.parentlock rw, + owner @{run}/user/@{uid}/xauth_?????? r, + @{sys}/bus/pci/devices/ r, @{sys}/devices/pci[0-9]*/**/class r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 78385797..9447cc2e 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -10,6 +10,7 @@ include profile firefox-kmozillahelper @{exec_path} { include include + include include include include @@ -36,6 +37,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kwinrc r, owner @{run}/user/@{uid}/xauth_* rl, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index eca5bae5..2fc7ca7d 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -54,7 +54,7 @@ profile child-open { @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, # Text editors - @{bin}/code rPx, + @{bin}/code rPx, @{bin}/gedit rPUx, /usr/share/code/{bin/,}code rPx, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 8ee5388e..807e6227 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -48,6 +48,8 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{run}/cron.pid rwk, owner @{run}/cron.reboot rw, + owner @{run}/crond.pid rwk, + owner @{run}/crond.reboot rw, @{run}/systemd/sessions/*.ref rw, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 5982630a..10cbc0fb 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -20,7 +20,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus send bus=session path=/ca/desrt/dconf/Writer/user + dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer peer=(name=org.freedesktop.DBus), # all members and peer's labels @@ -39,15 +39,16 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /var/lib/gdm{3,}/.config/dconf/ rw, + /var/lib/gdm{3,}/.config/dconf/user rw, + /var/lib/gdm{3,}/.config/dconf/user.* rw, + owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/dconf/ rw, owner @{user_cache_dirs}/dconf/user rw, - /var/lib/gdm{3,}/.config/dconf/ rw, - /var/lib/gdm{3,}/.config/dconf/user rw, - /var/lib/gdm{3,}/.config/dconf/user.* rw, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 7de46f9e..fa6a86db 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -23,8 +23,8 @@ profile xrdb @{exec_path} { /usr/include/stdc-predef.h r, /usr/etc/X11/xdm/Xresources r, - @{etc_ro}/Xresources/x11-common r, @{etc_ro}/X11/Xresources r, + @{etc_ro}/X11/Xresources/x11-common r, # The location of the .Xresources file owner @{HOME}/.Xdefaults r, @@ -34,6 +34,7 @@ profile xrdb @{exec_path} { owner @{user_config_dirs}/Xresources/* r, owner /tmp/kcminit.* r, + owner /tmp/plasma-apply-lookandfeel.* r, owner /tmp/runtime-*/xauth_?????? r, owner /tmp/startplasma-x11.?????? r, owner /tmp/xauth-[0-9]*-_[0-9] r, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 3926a777..599aa865 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -25,6 +25,7 @@ profile xsetroot @{exec_path} { @{run}/sddm/\{@{uuid}\} r, @{run}/user/@{uid}/xauth_* rl, + @{run}/sddm/xauth_?????? r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 0e5253c4..c4800434 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -116,6 +116,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { /etc/gcrypt/hwf.deny r, + /var/lib/gdm{3,}/.local/ rw, + /var/lib/gdm{3,}/.local/share/ rw, /var/lib/gdm{3,}/.local/share/keyrings/ rw, # Keyrings location diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f230f3e8..bf768733 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -480,6 +480,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/{,zoneinfo-}icu/{,**} r, /usr/share/app-info/icons/{,**} r, /usr/share/backgrounds/{,**} r, + /usr/share/byobu/desktop/byobu* r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-base/** r, /usr/share/desktop-directories/{,*.directory} r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index e30f21cf..052722e5 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -68,12 +68,13 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.local/share/applications/ w, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_share_dirs}/applications/ rw, - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index bff3469d..a4427736 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -88,6 +88,8 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/misc/rfkill/uevent r, + @{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features + owner /dev/tty[0-9]* rw, /dev/rfkill rw, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 0e3e4dc9..463d8066 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -17,6 +17,7 @@ profile mutter-x11-frames @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index b9189f22..7543e238 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -17,16 +17,18 @@ profile gpgconf @{exec_path} { @{exec_path} mrix, + @{bin}/dirmngr rPx, + @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, @{bin}/gpg{,2} rPx, - @{bin}/gpg-agent rPx, - @{bin}/dirmngr rPx, @{bin}/gpgsm rPx, - @{lib}/gnupg/scdaemon rPx, - @{bin}/pinentry-* rPx, + @{bin}/scdaemon rPx, + @{lib}/gnupg/scdaemon rPx, + @{lib}/keyboxd rPUx, /etc/gcrypt/hwf.deny r, + /etc/gnupg/gpgconf.conf r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index ba240045..8fc043ee 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index bc02b550..a96406ec 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -12,7 +12,19 @@ profile ssh-agent-launch @{exec_path} { @{exec_path} mr, - @{bin}/{,z,ba,da}sh rix, + @{bin}/{,z,ba,da}sh rix, + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/grep rix, + @{bin}/ssh-agent rPx, + + profile dbus { + include + + + @{bin}/dbus-update-activation-environment mr, + + include if exists + } include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 2d4e48be..56e527d1 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -27,15 +27,14 @@ profile systemd-backlight @{exec_path} { @{sys}/class/ r, @{sys}/class/backlight/ r, + @{sys}/devices/pci[0-9]*/*:[0-9]*.[0-9]*/**/ r, @{sys}/devices/pci[0-9]*/**/backlight/**/{max_brightness,actual_brightness} r, @{sys}/devices/pci[0-9]*/**/backlight/**/{uevent,type} r, @{sys}/devices/pci[0-9]*/**/backlight/**/brightness rw, @{sys}/devices/pci[0-9]*/**/class r, - @{sys}/devices/pci[0-9]*/**/drm/**/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type} r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw, - @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/platform/**/leds/*backlight*/brightness rw, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 97829c88..5a23844a 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -46,6 +46,8 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /tmp/{,**} rwk, /usr/{,**} rw, /var/{,**} rwk, + @{sys}/kernel/security/ r, + @{sys}/kernel/security/{,**} rw, @{sys}/devices/system/cpu/microcode/reload w, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index ca18e949..5d6dc4a9 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -52,6 +52,9 @@ profile check-new-release-gtk @{exec_path} { /var/lib/update-manager/{,**} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/gdm{3,}/.cache/update-manager-core/meta-release-lts rw, + /var/lib/gdm{3,}/.cache/update-manager-core/ rwk, + + /var/cache/apt/ rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index b4fd9596..8827c23e 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -65,7 +65,7 @@ profile update-notifier @{exec_path} { /var/lib/snapd/desktop/icons/ r, /var/lib/update-notifier/user.d/ r, - owner @{user_config_dirs}update-notifier/ w, + owner @{user_config_dirs}/update-notifier/ w, owner @{user_share_dirs}/applications/ r, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 948d4ff1..9662ff32 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -91,43 +92,8 @@ profile engrampa @{exec_path} { # For deb packages @{bin}/dpkg-deb rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - @{bin}/xdg-open rCx -> open, - - owner @{user_config_dirs}/engrampa/ rw, - - / r, - /home/ r, - #owner @{HOME}/ r, - #owner @{HOME}/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - /tmp/ r, - owner /tmp/** rw, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/.fr-*/{,**} rw, - - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/mimeapps.list{,.*} rw, - - owner @{user_share_dirs}/ r, - - /usr/share/engrampa/{,**} r, - - /usr/share/**.desktop r, - - /etc/magic r, - - # gnome-tiny - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/mounts r, - - /etc/fstab r, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{bin}/xdg-open rPx -> child-open, # Allowed apps to open @{bin}/engrampa rPx, @@ -136,38 +102,40 @@ profile engrampa @{exec_path} { @{bin}/spacefm rPx, @{bin}/ristretto rPUx, + /usr/share/engrampa/{,**} r, + /usr/share/**.desktop r, + + /etc/magic r, + /etc/fstab r, + + / r, + /home/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/.fr-*/{,**} rw, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/engrampa/ rw, + owner @{user_config_dirs}/mimeapps.list{,.*} rw, + + owner @{user_share_dirs}/ r, + + /tmp/ r, + owner /tmp/** rw, + + @{run}/mount/utab r, + + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + # file_inherit owner /dev/tty[0-9]* rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile open { - include - include - - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - @{bin}/xdg-open mr, - - @{bin}/{,ba,da}sh rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/engrampa rPx, - @{bin}/geany rPx, - @{bin}/viewnior rPUx, - @{bin}/spacefm rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 41bc4c5c..78174cc2 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -11,15 +11,20 @@ profile gsettings @{exec_path} { include include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /var/lib/gdm/.config/dconf/user r, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, /dev/tty[0-9]* rw, + owner @{run}/user/@{uid}/bus rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index b4700a62..09667bf1 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -99,6 +99,7 @@ profile keepassxc @{exec_path} { /dev/shm/#[0-9]*[0-9] rw, /dev/tty rw, + /dev/urandom rw, owner /dev/tty[0-9]* rw, # Silencer