diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 8dddb7cc..9a1209eb 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -151,6 +151,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/**/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session index 0cfa2d3a..f5f3fca2 100644 --- a/apparmor.d/groups/bus/dbus-run-session +++ b/apparmor.d/groups/bus/dbus-run-session @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/dbus-run-session profile dbus-run-session @{exec_path} { include + include signal (receive) set=term peer=gdm, signal (receive) set=(term, kill) peer=gdm-*-session, @@ -23,11 +24,10 @@ profile dbus-run-session @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/dconf/profile/gdm r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, /var/lib/gdm/.config/dconf/user r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index 7befe178..345906ae 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -9,11 +9,11 @@ include @{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher @{exec_path} += @{libexec}/at-spi-bus-launcher -profile at-spi-bus-launcher @{exec_path} { +profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { include + include include - signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, signal (send) set=(term hup kill) peer=dbus-daemon, @@ -26,28 +26,27 @@ profile at-spi-bus-launcher @{exec_path} { /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-broker-launch rPUx, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/cgroup r, - - owner @{HOME}/.Xauthority r, - /var/lib/lightdm/.Xauthority r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/dconf/profile/gdm r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - include + owner @{HOME}/.Xauthority r, + owner @{HOME}/.xsession-errors w, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/dconf/profile/gdm r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + + /var/lib/lightdm/.Xauthority r, /var/lib/gdm/.config/dconf/user r, - # file_inherit - owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, /var/log/lightdm/seat[0-9]*-greeter.log w, - /usr/share/gdm/greeter-dconf-defaults r, - @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/1/cgroup r, + + owner /dev/tty[0-9]* rw, # file_inherit include if exists } diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 1ed0ed39..6b4e44fd 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -26,9 +26,9 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/flatpak rPUx, /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/xbrlapi rPx, /{usr/,}bin/xhost rPx, /{usr/,}lib/gnome-session-binary rPx, - /{usr/,}bin/xbrlapi rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/X11/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index ffcb20ae..d8838b94 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -93,6 +93,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, @{sys}/devices/pci[0-9]*/**/drm/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 9cdf799c..4d60b8e4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -37,6 +37,10 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + @{sys}/devices/pci[0-9]*/**/drm/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8fbc6f33..b5479396 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -89,6 +89,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, + owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/libgweather/{,**} r, @@ -150,6 +151,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/pci[0-9]*/**/drm/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 249fcd1e..58f22eef 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,6 +10,7 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -40,7 +41,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { deny /tmp/.* rw, deny /tmp/.*/ rw, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 0a521bb3..95e9296b 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2017-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,13 +21,19 @@ profile dirmngr @{exec_path} { @{exec_path} mr, + /usr/share/gnupg/sks-keyservers.netCA.pem r, + owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/dirmngr.conf r, owner @{HOME}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, owner @{HOME}/@{XDG_GPG_DIR}/crls.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, - /usr/share/gnupg/sks-keyservers.netCA.pem r, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/ rw, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 18dd5804..6fd2f285 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -29,12 +29,12 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, - owner @{MOUNTS}/*/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/*/@{XDG_GPG_DIR}/gpg-agent.conf r, - owner @{MOUNTS}/*/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/*/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{MOUNTS}/*/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{MOUNTS}/*/@{XDG_GPG_DIR}/sshcontrol r, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/ rw, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/*{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index dfe46e19..1ebaaaa1 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2017-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,6 +22,7 @@ profile scdaemon @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/reader_0.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw, @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index ba6a7975..6c4e07a8 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,10 +11,11 @@ include @{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include + include + include + include include include - include - include network inet stream, network inet6 stream, @@ -28,33 +30,31 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { /{usr/,}bin/mount rPx, /{usr/,}bin/umount rPx, - include - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user rw, - - @{run}/systemd/sessions/[0-9]* r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + / r, /etc/fstab r, /etc/machine-id r, # Mount points - @{MOUNTS}/*/ r, - @{MOUNTS}/*/**/ r, - @{HOME}/*/*/ r, - @{HOME}/*/*/**/ r, - @{HOME}/bluetooth/ r, + owner @{MOUNTS}/*/ r, + owner @{MOUNTS}/*/**/ r, + owner @{HOME}/*/*/ r, + owner @{HOME}/*/*/**/ r, + owner @{HOME}/bluetooth/ r, - / r, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{run}/user/@{uid}/dconf/ w, + owner @{run}/user/@{uid}/dconf/user rw, @{run}/mount/utab r, + @{run}/systemd/sessions/[0-9]* r, - @{PROC}/ r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, + @{PROC}/ r, @{PROC}/1/cgroup r, @{PROC}/locks r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 94c16336..9dff0fc6 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -68,7 +68,7 @@ profile pacman @{exec_path} { /{usr/,}bin/archlinux-java rPx, /{usr/,}bin/bootctl rPx, /{usr/,}bin/dconf rPx, - /{usr/,}bin/fc-cache rPx, + /{usr/,}bin/fc-cache{,-32} rPx, /{usr/,}bin/gdk-pixbuf-query-loaders rPx, /{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/groupadd rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 3215b35d..b41e0a52 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -24,7 +24,7 @@ profile pacman-hook-systemd @{exec_path} { /{usr/,}bin/systemd-sysusers rPx, /{usr/,}bin/systemd-tmpfiles rPx, /{usr/,}bin/udevadm rPx, - /{usr/,}lib/systemd-binfmt rPx, + /{usr/,}lib/systemd/systemd-binfmt rPx, /{usr/,}lib/systemd/systemd-sysctl rPx, /usr/ rw, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index 037c7ab9..4c2a2f71 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,9 +12,10 @@ profile systemd-shutdown @{exec_path} flags=(complain) { include include - capability sys_resource, - capability sys_boot, capability kill, + capability sys_boot, + capability sys_ptrace, + capability sys_resource, signal (send) set=(stop, cont, term, kill), diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 687174d9..f0533ffb 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -27,7 +27,8 @@ profile auditd @{exec_path} { /etc/machine-id r, - @{run}/auditd.pid rw, + owner @{run}/auditd.pid rwl, + owner @{run}/auditd.state rw, @{run}/systemd/userdb/ r, owner @{PROC}/@{pid}/attr/current r, diff --git a/apparmor.d/profiles-a-f/fc-cache b/apparmor.d/profiles-a-f/fc-cache index 1542efa8..39462818 100644 --- a/apparmor.d/profiles-a-f/fc-cache +++ b/apparmor.d/profiles-a-f/fc-cache @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fc-cache +@{exec_path} = /{usr/,}bin/fc-cache{,-32} profile fc-cache @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index a7206ec4..8131456e 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -18,6 +18,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { /usr/share/icons/**/.icon-theme.cache rw, /usr/share/icons/**/icon-theme.cache rw, + /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw, + deny /apparmor/.null rw, include if exists diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 0132cae1..f8839e02 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -16,5 +16,7 @@ profile id @{exec_path} { /etc/machine-id r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 4a7e537d..3b15a0a9 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -35,6 +35,7 @@ profile lspci @{exec_path} { # file_inherit @{PROC}/ioports r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 8e916a03..451d7d44 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -18,5 +18,7 @@ profile uname @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal b/apparmor.d/profiles-s-z/xdg-desktop-portal index 93e59ab3..aeb9b24d 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal @@ -20,10 +20,14 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}lib/x r, + /{usr/,}bin/{,ba,da}sh rix, + + # Allowed apps to open + /{usr/,}bin/firefox rPx -> firefox, / r, /.flatpak-info r, + /{usr/,}lib/x r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/pipewire/client.conf r, diff --git a/apparmor.d/profiles-s-z/xdg-icon-resource b/apparmor.d/profiles-s-z/xdg-icon-resource index b5cdda39..acc10b69 100644 --- a/apparmor.d/profiles-s-z/xdg-icon-resource +++ b/apparmor.d/profiles-s-z/xdg-icon-resource @@ -38,5 +38,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) { owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, /opt/**/*.png r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/profiles-s-z/xdg-settings b/apparmor.d/profiles-s-z/xdg-settings index 373f310b..8eb6c1f1 100644 --- a/apparmor.d/profiles-s-z/xdg-settings +++ b/apparmor.d/profiles-s-z/xdg-settings @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,51 +16,41 @@ profile xdg-settings @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/mktemp rix, + /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, /{usr/,}bin/uname rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/which{,.debianutils} rix, - # When xdg-settings is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Xdg-settings works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, - - /{usr/,}bin/xprop rPx, - /{usr/,}bin/xdg-mime rPx, - - owner @{PROC}/@{pid}/fd/ r, - - /etc/xdg/xfce4/helpers.rc r, - owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw, - owner @{user_share_dirs}/applications/ r, - owner @{user_share_dirs}/applications/*.desktop r, - - owner @{HOME}/.Xauthority r, + /{usr/,}bin/dbus-launch rCx -> dbus, + /{usr/,}bin/dbus-send rCx -> dbus, + /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/xprop rPx, /usr/share/terminfo/x/xterm-256color r, /usr/share/applications/ r, - /var/lib/dbus/machine-id r, + + /etc/xdg/xfce4/helpers.rc r, /etc/machine-id r, + /var/lib/dbus/machine-id r, - # For shell pwd owner @{HOME}/ r, + owner @{HOME}/.Xauthority r, - @{run}/user/@{uid}/ r, + owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw, + owner @{user_share_dirs}/applications/ r, + owner @{user_share_dirs}/applications/*.desktop r, + + owner @{run}/user/@{uid}/ r, + + owner @{PROC}/@{pid}/fd/ r, profile dbus { include diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index 5ec4c97f..4c6f55e1 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -13,7 +13,7 @@ @{MOUNTS}=/media/ @{run}/media /mnt # Libexec path. Different in some distribution -@{libexec}=/usr/lib # Archlinux -@{libexec}=/usr/libexec # Debian/Ubuntu +@{libexec}=/{usr/,}lib # Archlinux +@{libexec}=/{usr/,}libexec # Debian/Ubuntu include if exists \ No newline at end of file