diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index a392507b..0066e5ee 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -137,6 +137,12 @@ owner @{cache_dirs}/{,**} rw, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/kcminputrc r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, # owner @{HOME}/.mozilla/firefox/*/ r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 4d065dce..543548f9 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -34,9 +34,6 @@ profile brave @{exec_path} { /etc/opt/chrome/native-messaging-hosts/* r, owner @{user_config_dirs}/BraveSoftware/ rw, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, owner @{cache_dirs}/BraveSoftware/ rw, @@ -44,6 +41,7 @@ profile brave @{exec_path} { owner @{tmp}/net-export/ rw, # For brave://net-export/ # Silencer + deny /etc/opt/ w, deny /etc/opt/chrome/ w, deny /dev/disk/by-uuid/ r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 878b8500..5797f27b 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -87,6 +87,25 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+serio:* r, # for touchpad? + @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, @{sys}/class/ r, @@ -103,23 +122,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/ r, @{sys}/module/i915/{,**} r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? - @{run}/udev/data/+serio:* r, # for touchpad? - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{PROC}/@{pids}/cmdline r, @{PROC}/cmdline r, @{PROC}/ioports r, @@ -127,6 +129,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /dev/fb@{int} rw, /dev/input/event@{int} rw, + /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 3b5efe38..78034869 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,8 +42,33 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:* r, # For motherboard info + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 1b5d7949..7faa752d 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include include include include @@ -20,6 +21,11 @@ profile baloorunner @{exec_path} { /etc/xdg/baloofilerc r, + # Allow to search user files + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/baloofilerc r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index a37fea7a..b745dea6 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -59,6 +59,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/ r, @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index bd1666a0..0be47a75 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -73,7 +73,9 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kscreenlocker_greet/ w, owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk, - owner @{user_cache_dirs}/ksvg-elements r, + owner @{user_cache_dirs}/ksvg-elements rw, + owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index f768cad0..65bf9036 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -56,6 +56,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 95abaa2a..c5451f4a 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -89,6 +89,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, @@ -110,6 +111,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/class/drm/ r, @{sys}/class/input/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{run}/udev/data/+acpi:* r, # for ACPI @{run}/udev/data/+dmi:* r, # for motherboard info diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 06a81602..825a28ba 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -151,6 +151,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/plasma* rwlk, owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/*/sessions/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/akonadi/search_db/{,**} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, @@ -174,6 +175,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasmashellstaterc rw, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, + owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 4872716f..441f2db2 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -29,12 +29,13 @@ profile sddm-greeter @{exec_path} { @{lib}/libheif/*.so* rm, /usr/share/desktop-base/*-theme/login/*.svg r, + /usr/share/endeavouros/backgrounds/** r, + /usr/share/hunspell/** r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/{,**} r, + /usr/share/wallpapers/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, - /usr/share/wallpapers/{,**} r, - /usr/share/hunspell/** r, /etc/fstab r, /etc/os-release r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 14d73b35..b59c668b 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -21,12 +21,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability syslog, network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, network inet raw, + network inet stream, + network inet6 dgram, network inet6 raw, + network inet6 stream, network netlink raw, + network packet dgram, ptrace (read),