From b532dd6827212d68aff1b2ec7f69ce5e6eaddf2b Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Wed, 21 Feb 2024 23:52:26 +0100 Subject: [PATCH] Update various profiles Signed-off-by: Jeroen Rijken --- .../abstractions/bus/fi.w1.wpa_supplicant1 | 31 +++++++++ apparmor.d/abstractions/bus/org.bluez | 20 ++++++ .../bus/org.freedesktop.NetworkManager | 5 ++ .../bus/org.freedesktop.PolicyKit1 | 12 +++- .../abstractions/bus/org.freedesktop.UPower | 12 +++- .../abstractions/bus/org.freedesktop.login1 | 2 +- .../bus/org.freedesktop.login1.Session | 12 +++- apparmor.d/abstractions/chromium | 23 ++++++- apparmor.d/abstractions/systemd-common | 7 ++ apparmor.d/groups/browsers/brave | 5 ++ .../groups/browsers/brave-crashpad-handler | 4 ++ apparmor.d/groups/browsers/brave-wrapper | 2 +- apparmor.d/groups/bus/dbus-daemon | 1 + apparmor.d/groups/freedesktop/plymouth | 1 + apparmor.d/groups/freedesktop/pulseaudio | 27 ++++++++ .../groups/freedesktop/xdg-desktop-portal | 5 ++ apparmor.d/groups/freedesktop/xsetroot | 1 + apparmor.d/groups/kde/dolphin | 1 + apparmor.d/groups/kde/kcminit | 1 + apparmor.d/groups/kde/kded5 | 2 + apparmor.d/groups/kde/konsole | 5 +- apparmor.d/groups/kde/kscreenlocker-greet | 13 ++++ apparmor.d/groups/kde/ksmserver | 15 ++++- .../groups/kde/ksmserver-logout-greeter | 66 +++++++++++++++++++ apparmor.d/groups/kde/kwin_x11 | 2 +- .../kde/plasma-browser-integration-host | 15 ++++- apparmor.d/groups/kde/plasmashell | 5 ++ apparmor.d/groups/kde/sddm | 19 ++++++ apparmor.d/groups/kde/sddm-greeter | 5 ++ apparmor.d/groups/network/NetworkManager | 20 ++++++ apparmor.d/groups/network/nm-dispatcher | 45 ++++++++++++- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/bluetoothd | 33 +++++++++- apparmor.d/profiles-a-f/boltd | 11 ++++ apparmor.d/profiles-a-f/firewalld | 21 ++++++ apparmor.d/profiles-a-f/flatpak | 1 + apparmor.d/profiles-a-f/frontend | 1 + apparmor.d/profiles-a-f/fusermount | 1 + apparmor.d/profiles-g-l/keepassxc | 1 + apparmor.d/profiles-s-z/sensors | 2 +- apparmor.d/profiles-s-z/thermald | 2 + apparmor.d/profiles-s-z/thunderbird | 10 ++- apparmor.d/profiles-s-z/thunderbird-vaapitest | 4 +- .../profiles-s-z/update-secureboot-policy | 6 +- apparmor.d/profiles-s-z/usbguard-daemon | 3 + apparmor.d/profiles-s-z/usbguard-dbus | 3 + apparmor.d/profiles-s-z/xinput | 1 + 47 files changed, 459 insertions(+), 26 deletions(-) create mode 100644 apparmor.d/groups/kde/ksmserver-logout-greeter diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index cea8e22f..4c13e555 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -7,4 +7,35 @@ member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), + dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=fi.w1.wpa_supplicant1.Interface + member={Disconnect,RemoveNetwork,Scan} + peer=(name=:*, label=wpa-supplicant), + + dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=fi.w1.wpa_supplicant1.Interface.P2PDevice + member=Cancel + peer=(name=:*, label=wpa-supplicant), + + # Unconfined for now, don't know the label yet. + # dbus send bus=system path=/org/freedesktop + # interface=org.freedesktop.DBus.ObjectManager + # member=InterfacesRemoved + # peer=(name=:*, label=unconfined), + + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=fi.w1.wpa_supplicant1.Interface + member={BSSAdded,BSSRemoved,NetworkRemoved,ScanDone,PropertiesChanged} + peer=(name=:*, label=wpa-supplicant), + + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=wpa-supplicant), + + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=wpa-supplicant), + include if exists diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index fcfb0d49..5838ee22 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -2,9 +2,29 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=bluetoothd), + dbus receive bus=system path=/org/bluez/hci@{int}{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=:*, label=bluetoothd), + dbus send bus=system path=/org/bluez + interface=org.bluez.ProfileManager@{int} + member=RegisterProfile + peer=(name=org.bluez, label=bluetoothd), + + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.bluez.BatteryProviderManager@{int} + member=RegisterProfile + peer=(name=org.bluez, label=bluetoothd), + + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.bluez.Media@{int} + member=RegisterApplication + peer=(name=org.bluez, label=bluetoothd), + include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 2151eebc..0a8d57be 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -37,6 +37,11 @@ member=GetAll peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index a258ca1d..6f05ae68 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=:*, label=polkitd), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll @@ -11,6 +16,7 @@ interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization @@ -20,9 +26,9 @@ member=CheckAuthorization peer=(name=org.freedesktop.PolicyKit1), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Introspectable + member=Introspect peer=(name=:*, label=polkitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 2bd80c9a..99ce9953 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -12,11 +12,21 @@ member=GetAll peer=(name=:*, label=upowerd), - dbus send bus=system path=/org/freedesktop/UPower/devices/DisplayDevice + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member={Get,GetDisplayDevice} + peer=(name=org.freedesktop.UPower, label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name=:*, label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=upowerd), + dbus receive bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index dc93769d..8c0d80e4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -14,7 +14,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member=Inhibit + member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend} peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 24cb2502..6541fb80 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -7,9 +7,14 @@ member=GetSession peer=(name=:*, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.DBus.Properties - member=GetAll + member={Get,GetAll} peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* @@ -17,6 +22,11 @@ member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + dbus send bus=system path=/org/freedesktop/login1/seat/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 2a7af7f8..0695c727 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -13,11 +13,15 @@ # @{cache_dirs} = @{user_cache_dirs}/chromium include + include + include + include include include include include include + include include include include @@ -51,6 +55,11 @@ network inet6 stream, network netlink raw, + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.bluez, label=bluetoothd), + @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, @{lib_dirs}/chrome_crashpad_handler rPx, @@ -93,16 +102,19 @@ /usr/share/hwdata/pnp.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/qt{5,}/translations/*.qm r, + /usr/share/uim/* r, /usr/share/webext/{,**} r, /etc/@{name}/{,**} r, /etc/fstab r, - /etc/igfx_user_feature{,_next}.txt w, + /etc/igfx_user_feature{,_next}.txt rw, /etc/opensc.conf r, /var/lib/dbus/machine-id r, /etc/machine-id r, + /var/lib/uim/* r, + owner @{HOME}/ r, owner @{HOME}/.pki/ rw, @@ -110,9 +122,13 @@ owner @{HOME}/.pki/nssdb/pkcs11.txt rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{HOME}/.uim.d/customs/* r, + owner @{HOME}/.XCompose r, owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/.@{domain}.* rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -145,6 +161,10 @@ audit @{run}/udev/data/* r, + owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, + owner @{run}/user/@{uid}/uim/socket/uim-helper rw, + @{sys}/bus/ r, @{sys}/bus/**/devices/ r, @{sys}/class/**/ r, @@ -154,6 +174,7 @@ @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/virtual/**/report_descriptor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common index 1de28a91..e459c1b9 100644 --- a/apparmor.d/abstractions/systemd-common +++ b/apparmor.d/abstractions/systemd-common @@ -3,8 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + capability sys_ptrace, + ptrace (read) peer=@{systemd}, + owner @{lib}/systemd/{,systemd} r, + + owner @{run}/systemd/system/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @@ -14,6 +20,7 @@ @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/filesystems r, owner @{PROC}/@{pid}/stat r, /dev/kmsg w, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index cf75b61c..a45b53b1 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -18,6 +18,8 @@ profile brave @{exec_path} { include include + unix (send, receive) type=stream peer=brave-crashpad-handler, + @{exec_path} mrix, @{bin}/man rPUx, # For "brave --help" @@ -25,8 +27,10 @@ profile brave @{exec_path} { /usr/share/chromium/extensions/ r, /etc/opt/chrome/ r, + /etc/opt/chrome/native-messaging-hosts/* r, owner @{user_config_dirs}/BraveSoftware/ rw, + owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, @@ -42,6 +46,7 @@ profile brave @{exec_path} { # Silencer deny /etc/opt/chrome/ w, + deny /dev/disk/by-uuid/ r, include if exists } diff --git a/apparmor.d/groups/browsers/brave-crashpad-handler b/apparmor.d/groups/browsers/brave-crashpad-handler index 256a90c3..120fa9fd 100644 --- a/apparmor.d/groups/browsers/brave-crashpad-handler +++ b/apparmor.d/groups/browsers/brave-crashpad-handler @@ -16,11 +16,15 @@ profile brave-crashpad-handler @{exec_path} { capability sys_ptrace, + unix (send, receive) type=stream peer=(label=brave), + ptrace peer=brave, signal (send) peer=brave, @{exec_path} mrix, + owner @{user_config_dirs}/BraveSoftware/Brave-Browser/CrashpadMetrics-active.pma rw, + owner @{user_config_dirs}/BraveSoftware/Brave-Browser/CrashpadMetrics.pma rw, owner "@{config_dirs}/Crash Reports/**" rwk, @{PROC}/sys/kernel/yama/ptrace_scope r, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index 69faa298..9e3fbc25 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -27,7 +27,7 @@ profile brave-wrapper @{exec_path} { @{lib_dirs}/brave rPx, - owner @{PROC}/@{pid}/fd/ w, + owner @{PROC}/@{pid}/fd/@{int} w, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 99fbc90e..b82ab83f 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -51,6 +51,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235 @{lib}/@{multiarch}/tumbler-1/tumblerd rPUx, @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, + @{lib}/@{multiarch}/libexec/ksmserver-logout-greeter rPx, @{lib}/* rPUx, @{lib}/atril/atrild rPx, @{lib}/dbus-1*/dbus-daemon-launch-helper rPx, diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth index d844eede..c8271e03 100644 --- a/apparmor.d/groups/freedesktop/plymouth +++ b/apparmor.d/groups/freedesktop/plymouth @@ -10,6 +10,7 @@ include profile plymouth @{exec_path} { include include + include include unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"), diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 897b34b9..e0e456aa 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -50,11 +50,37 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=:*, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=ItemRemove + peer=(name=:*, label=avahi-daemon), + dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member={Found,Free} + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + + # No label in rule + dbus send bus=system path=/org/freedesktop/RealtimeKit@{int} + interface=org.freedesktop.RealtimeKit@{int} + member=MakeThreadHighPriority + peer=(name=org.freedesktop.RealtimeKit@{int}), + @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, @@ -104,6 +130,7 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b6303dbc..562d1eae 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -34,6 +34,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { member=MakeThread* peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions + peer=(name=:*, label=NetworkManager), + # dbus: own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor dbus send bus=session path=/org/freedesktop/portal/documents diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 621efed6..34490cc9 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include capability dac_read_search, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 6a54f243..c6961cd4 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -29,6 +29,7 @@ profile dolphin @{exec_path} { @{bin}/ldd rix, @{lib}/kf5/kioslave5 rPx, @{lib}/@{multiarch}/kf5/kioslave5 rPx, + @{lib}/@{multiarch}/libexec/kf5/kioslave5 rPx, /usr/share/kf5/kmoretools/{,**} r, /usr/share/kio/{,**} r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index ed8a558f..0adbdcbc 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kcminit profile kcminit @{exec_path} { include + include include include diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index fd3d1a81..32ccbdd0 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -121,6 +121,7 @@ profile kded5 @{exec_path} { owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma-nm r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/xsettingsd/{,**} rw, @@ -147,6 +148,7 @@ profile kded5 @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/fd/info/@{int} r, @{PROC}/sys/fs/inotify/max_user_{instances,watches} r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 76ce0cb5..677b8105 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -22,8 +22,9 @@ profile konsole @{exec_path} flags=(attach_disconnected) { signal (send) set=(hup), - @{exec_path} mr, - @{bin}/@{shells} rUx, + @{exec_path} mr, + @{bin}/@{shells} rUx, + @{browsers_path} rPx, @{lib}/@{multiarch}/utempter/utempter rPUx, /usr/share/color-schemes/{,**} r, diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index 54ad413b..c829be47 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -11,6 +11,10 @@ include @{exec_path} += @{lib}/@{multiarch}/libexec/kscreenlocker_greet profile kscreenlocker-greet @{exec_path} { include + include + include + include + include include include include @@ -25,6 +29,13 @@ profile kscreenlocker-greet @{exec_path} { signal (receive) set=(usr1, term) peer=ksmserver, signal (receive) set=(term) peer=kwin_wayland, + unix (send,receive) type=stream peer=(label="ksmserver",addr=none), + + dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=sddm), + @{exec_path} mr, @{lib}/libheif/ r, @@ -57,6 +68,7 @@ profile kscreenlocker-greet @{exec_path} { owner @{HOME}/.face.icon r, owner @{HOME}/.xsession-errors w, + owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -85,6 +97,7 @@ profile kscreenlocker-greet @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 395839be..42ed8214 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -9,13 +9,16 @@ include @{exec_path} = @{bin}/ksmserver profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include include include signal (send) set=(usr1,term) peer=kscreenlocker-greet, - + + unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), + @{exec_path} mr, @{bin}/rm rix, @@ -32,27 +35,33 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/color-schemes/{,**} r, /usr/share/knotifications5/*.notifyrc r, /usr/share/kservices5/{,**} r, + /usr/share/kservicetypes5/{,**} r, /etc/xdg/menus/applications-merged/ r, /etc/machine-id r, /etc/xdg/kscreenlockerrc r, /etc/xdg/menus/ r, + /var/lib/flatpak/exports/share/mime/ r, + owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca5_* rl, + owner @{user_cache_dirs}/ksycoca5_* rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, owner @{user_config_dirs}/menus/ r, + owner @{user_share_dirs}/kservices5/ r, + owner @{user_share_dirs}/kservices5/ServiceMenus/ r, + owner /tmp/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter new file mode 100644 index 00000000..3c53dd17 --- /dev/null +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -0,0 +1,66 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/libexec/ksmserver-logout-greeter +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{HOME}/ r, + + / r, + /etc/machine-id r, + /etc/timezone r, + + /usr/share/plasma/desktoptheme/** r, + /usr/share/plasma/look-and-feel/** r, + /var/lib/AccountsService/icons/ r, + /var/lib/flatpak/exports/share/icons/{,**} r, + /var/lib/flatpak/exports/share/mime/generic-icons r, + + @{lib}/os-release r, + + owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/#@{int} rwlk, + owner @{user_cache_dirs}/kcrash-metadata/ r, + owner @{user_cache_dirs}/ksmserver-logout-greeter/qmlcache/{,*} r, + owner @{user_cache_dirs}/plasma_theme_breeze-dark_v5.114.0.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} l -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/plasma-svgelements.lock rwk, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/plasmarc r, + + owner @{user_share_dirs}/icons/{**,} r, + owner @{user_share_dirs}/mime/generic-icons r, + + owner @{PROC}/@{pid}/exe r, + owner @{PROC}/@{pid}/status r, + owner @{run}/user/@{uid}/ r, + + @{PROC}/sys/dev/i915/perf_stream_paranoid r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index b3b6becd..d6d5e5bf 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -53,7 +53,7 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, - + owner @{user_config_dirs}/session/#@{int} rw, owner /tmp/#@{int} rw, owner /tmp/kwin.@{rand6} rwl, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index 66358ec5..d1614a60 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/plasma-browser-integration-host profile plasma-browser-integration-host @{exec_path} { include + include + include include include include @@ -19,17 +21,26 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, + /etc/xdg/menus/applications-merged/ r, + /usr/share/kservices5/{,**} r, /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_cache_dirs}/ksycoca5_* r, + /var/lib/flatpak/exports/share/mime/ r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca5_* r, + + owner @{user_config_dirs}/menus/ r, + + owner @{user_share_dirs}/kservices5/ r, + owner @{user_share_dirs}/kservices5/ServiceMenus/ r, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 34623a92..f7960c9d 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -13,6 +13,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include include @@ -36,6 +37,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { ptrace (read) peer=akonadi*, ptrace (read) peer=kalendarac, ptrace (read) peer=kded5, + ptrace (read) peer=ksmserver-logout-greeter, ptrace (read) peer=kwin_x11, ptrace (read) peer=libreoffice*, ptrace (read) peer=pinentry-qt, @@ -85,6 +87,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{HOME}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + owner @{user_pictures_dirs}/{,**} r, owner @{user_templates_dirs}/ r, @@ -127,6 +130,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma* rwlk, owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/cookie rwk, @@ -152,6 +156,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/user-places.xbel{,*} rwl -> @{user_share_dirs}/#@{int}, owner /tmp/#@{int} rw, + /tmp/.mount_nextcl@{rand6}/{,*} r, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 4d0bbb45..23419960 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -12,6 +12,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include + include + include include include include @@ -42,6 +46,21 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=sddm-greeter, signal (send) set=(kill, term) peer=xorg, + dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=kscreenlocker-greet), + + dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + @{exec_path} mr, @{lib}/@{multiarch}/sddm/sddm-helper rix, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index d29287d3..4560d6ae 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -10,6 +10,10 @@ include @{exec_path} = @{bin}/sddm-greeter profile sddm-greeter @{exec_path} { include + include + include + include + include include include include @@ -60,6 +64,7 @@ profile sddm-greeter @{exec_path} { owner @{HOME}/.glvnd* mrw, owner /tmp/runtime-sddm/ rw, + owner /tmp/sddm-:@{int}-@{rand6} rw, owner @{run}/sddm/{,*} rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2ffe3a0c..6d1fec3f 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,6 +50,26 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member=GetManagedObjects peer=(name=:*), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=bluetoothd), + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=bluetoothd), + + dbus send bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.zone + member={changeZoneOfInterface,removeInterface} + peer=(name=org.freedesktop.DBus, label=firewalld), + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=org.freedesktop.DBus, label=nm-online), + dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 2cbea227..249c96fe 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -26,11 +26,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/basename rix, + @{bin}/cat rix, @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, @{bin}/grep rix, @{bin}/id rix, + @{bin}/invoke-rc.d rCx -> invoke-rc, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @@ -39,7 +41,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{bin}/systemctl rix, + @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-cat rPx, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, @@ -48,6 +50,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{lib}/NetworkManager/dispatcher.d/** rix, /etc/NetworkManager/dispatcher.d/ r, /etc/NetworkManager/dispatcher.d/** rix, + /etc/dhcp/dhclient-exit-hooks.d/ntp r, /usr/share/tlp/{,**} rw, @@ -57,6 +60,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify rw, @{run}/tlp/{,*} rw, @{run}/chrony-dhcp/ rw, + @{run}/ntp.conf.dhcp rw, @{sys}/class/net/ r, @@ -64,6 +68,45 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + profile systemctl { + include + include + + @{bin}/systemctl mr, + + / r, + + @{etc_ro}/ r, + @{etc_ro}/systemd/ r, + @{etc_ro}/systemd/system/ r, + @{etc_ro}/systemd/system/ntp.service r, + + owner @{run}/systemd/private rw, + @{run}/utmp k, + + /dev r, + + include if exists + } + + profile invoke-rc { + include + + @{sh_path} rix, + @{bin}/ls rix, + @{bin}/systemctl rCx -> systemctl, + + / r, + + /etc/ r, + @{etc_ro}/rc{[0-9],S}.d/{,*} r, + @{etc_ro}/init.d/ntp r, + + owner @{PROC}/filesystems r, + + include if exists + } + profile run-parts { include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 02161ed3..e628ab1e 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -178,6 +178,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c89:@{int} r, # ? @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c108:@{int} r, # For /dev/ppp diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index b98b4bc2..8b51d762 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -11,6 +11,7 @@ include profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -24,6 +25,31 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { # dbus: own bus=system name=org.bluez + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label={brave,NetworkManager,pulseaudio,upowerd}), + + dbus send bus=system path=/MediaEndpoint + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=pulseaudio), + + dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/* + interface=org.bluez.MediaEndpoint1 + member=Release + peer=(name=:*, label=pulseaudio), + + dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile} + interface=org.bluez.MediaEndpoint1 + member=Release + peer=(name=:*, label=pulseaudio), + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=org.freedesktop.DBus, label={fwupd,NetworkManager,pulseaudio,upowerd), + @{exec_path} mr, @{lib}/@{multiarch}/bluetooth/plugins/*.so mr, @@ -32,11 +58,12 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { /var/lib/bluetooth/{,**} rw, - @{run}/sdp rw, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/sdp rw, + owner @{run}/systemd/notify w, + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/@{pci}/rfkill@{int}/name r, - @{sys}/devices/@{pci}/bluetooth/**/{uevent,name} r, + @{sys}/devices/@{pci}/**/{uevent,name} r, @{sys}/devices/platform/**/rfkill/**/name r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 58ab646a..8bc010bc 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -19,6 +19,15 @@ profile boltd @{exec_path} flags=(attach_disconnected) { # dbus: own bus=system name=org.freedesktop.bolt + dbus receive bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.bolt1.Manager + member=ListDevices + peer(name=:*, label=kded5), + + dbus (send,receive) bus=system path=/org/freedesktop/bolt{,/**} + interface=org.freedesktop.DBus.Properties + member=Get, + @{exec_path} mr, /var/lib/boltd/{,**} rw, @@ -34,10 +43,12 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/wmi/devices/ r, @{sys}/class/ r, @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/domain[0-9]*/boot_acl rw, @{sys}/devices/@{pci}/domain@{int}/{security,uevent} r, @{sys}/devices/@{pci}/domain@{int}/**/ r, @{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r, @{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r, + @{sys}/devices/@{pci}/domain@{int}/**/{boot,rx_lanes,rx_speed,tx_lanes,tx_speed} r, @{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r, @{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r, @{sys}/devices/platform/**/uevent r, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index cb9596dc..5e820626 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/firewalld profile firewalld @{exec_path} { include + include + include + include + include include include @@ -21,6 +25,21 @@ profile firewalld @{exec_path} { network inet6 raw, network netlink raw, + dbus receive bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.direct + member=passthrough + peer=(name=:*, label=libvirtd), + + dbus receive bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.zone + member={changeZoneOfInterface,getZones} + peer=(name=:*, label=libvirtd), + + dbus receive bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.zone + member={changeZoneOfInterface,removeInterface} + peer=(name=:*, label=libvirtd), + @{exec_path} mr, @{bin}/ r, @@ -33,6 +52,8 @@ profile firewalld @{exec_path} { @{bin}/xtables-legacy-multi rix, @{bin}/xtables-nft-multi rix, + /usr/local/lib/python3.10/dist-packages/ r, + /usr/share/libalternatives/ r, /usr/share/libalternatives/ebtables*/{,*} r, /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 21206d61..11bf2a45 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -10,6 +10,7 @@ include profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include include + include include include include diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index b533bbb5..fa376f98 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -28,6 +28,7 @@ profile frontend @{exec_path} flags=(complain) { @{bin}/locale rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/stty rix, + @{bin}/update-secureboot-policy rPx, # debconf apps @{bin}/adequate rPx, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index fe071841..83d8e809 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -23,6 +23,7 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/, mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/, + mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/, umount @{HOME}/*/, umount @{HOME}/*/*/, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 94ed47ba..81c82bdd 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -60,6 +60,7 @@ profile keepassxc @{exec_path} { owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/qt5ct/{,**} r, + owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r, # Database locations owner @{user_cache_dirs}/keepassxc/ rw, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 8adc87fa..b6479020 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -25,12 +25,12 @@ profile sensors @{exec_path} { @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, + @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, @{sys}/devices/@{pci}/name r, @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/fan[0-9]_label r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index f95c7d38..2fd6fd5d 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -49,6 +49,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon@{int}/temp@{int}_{max,crit} r, @{sys}/devices/**/path r, + @{sys}/devices/platform/*/uuids/current_uuid rw, + @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 799ec187..79b24034 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -96,6 +96,7 @@ profile thunderbird @{exec_path} { /usr/share/qt5ct/** r, /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/xul-ext/kwallet5/* r, + /usr/share/uim/* r, /etc/@{name}/{,**} r, /etc/fstab r, @@ -104,9 +105,12 @@ profile thunderbird @{exec_path} { /etc/timezone r, /etc/xul-ext/kwallet5.js r, + /var/lib/uim/* r, owner /var/mail/* rwk, owner @{HOME}/ r, + owner @{HOME}/.uim.d/customs/* r, + owner @{HOME}/.XCompose r, owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/mimeapps.list.* rw, @@ -116,11 +120,14 @@ profile thunderbird @{exec_path} { owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**, owner @{config_dirs}/ rw, + owner @{user_config_dirs}/gtk-3.0/assets/* r, owner @{config_dirs}/*/ rw, owner @{config_dirs}/*/** rwk, owner @{config_dirs}/installs.ini rw, owner @{config_dirs}/profiles.ini rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{cache_dirs}/{,**} rw, /tmp/ r, @@ -134,7 +141,8 @@ profile thunderbird @{exec_path} { owner /tmp/MozillaMailnews/*.msf rw, owner /tmp/Temp-@{uuid}/ rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/uim/socket/uim-helper rw, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index ead4949c..b1e013a5 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -20,7 +20,7 @@ profile thunderbird-vaapitest @{exec_path} { @{exec_path} mr, - /etc/igfx_user_feature{,_next}.txt w, + /etc/igfx_user_feature{,_next}.txt rw, owner /tmp/thunderbird/.parentlock rw, @@ -29,4 +29,4 @@ profile thunderbird-vaapitest @{exec_path} { deny @{config_dirs}/*/startupCache/** r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 4ed33c86..8c3db4b0 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -25,10 +25,12 @@ profile update-secureboot-policy @{exec_path} { @{bin}/wc rix, /usr/share/debconf/frontend rPx, + / r, + /usr/share/debconf/confmodule r, /var/lib/dkms/ r, - /var/lib/shim-signed/dkms-list r, + /var/lib/shim-signed/dkms-list rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon index cc2c5e02..fe1b666b 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -19,6 +19,9 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) { network netlink dgram, + unix (bind, listen) type=stream, + unix (bind, connect, listen) type=stream peer=(name=usbguard-dbus, addr=none), + @{exec_path} mr, /etc/usbguard/*.conf rw, diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus index 221965e7..12de9531 100644 --- a/apparmor.d/profiles-s-z/usbguard-dbus +++ b/apparmor.d/profiles-s-z/usbguard-dbus @@ -10,10 +10,13 @@ include @{exec_path} = @{bin}/usbguard-dbus profile usbguard-dbus @{exec_path} { include + include # Needed? deny capability sys_nice, + unix (send, receive, connect) type=stream peer=(name=usbguard-daemon, addr=@@{int}), + @{exec_path} mr, /dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw, /dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw, diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput index fbd0ca85..1c330453 100644 --- a/apparmor.d/profiles-s-z/xinput +++ b/apparmor.d/profiles-s-z/xinput @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xinput profile xinput @{exec_path} { include + include @{exec_path} mr,