diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 253a8271..791ae428 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -35,6 +35,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, + unix (bind) type=stream addr=@@{hex}/bus/apt/system, unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), @@ -226,6 +227,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, + signal (send) set=(cont, term) peer=systemd-tty-ask-password-agent, + @{bin}/systemd-tty-ask-password-agent rPx, owner @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 1e6225e7..4979a2ca 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -21,6 +21,7 @@ profile dpkg-preconfigure @{exec_path} { @{sh_path} rix, @{bin}/locale rix, + @{bin}/sed rix, @{bin}/stty rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index dd9a1080..8ad9c39a 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -176,6 +176,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner /tmp/Temp-@{uuid}/{**,} rw, owner /tmp/tmp-???.xpi rw, owner /tmp/tmpaddon r, + owner /tmp/tmpaddon-@{int} r, owner /tmp/user/@{uid}/ rw, owner /tmp/user/@{uid}/@{name}/ rw, owner /tmp/user/@{uid}/@{name}/* rwk, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index d87b7ec7..d1bb559c 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -42,7 +42,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca5_* r, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index c1c63185..e85a4af7 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -47,6 +47,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/* rPUx, + @{bin}/{false,true} rix, @{bin}/dbus-launch rix, @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235 @{lib}/{,kf6/}kauth/{,libexec/}* rPx, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index c646fb1f..28fdf541 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -19,10 +19,10 @@ profile dbus-daemon-launch-helper @{exec_path} { @{exec_path} mr, @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx, + @{lib}/{,kf6/}kauth/{,libexec/}* rPx, @{lib}/{,polkit-1/}polkitd rPx, @{lib}/{,udisks2/}udisksd rPx, @{lib}/@{multiarch}/cups-pk-helper-mechanism rPx, - @{lib}/kauth/{,libexec/}* rPx, @{lib}/language-selector/ls-dbus-backend rPx, @{lib}/software-properties/software-properties-dbus rPx, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index d85231dd..630ee89f 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -41,6 +41,8 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, + owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 2ccd35b2..9b0d0eec 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -33,15 +33,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { # dbus: own bus=system name=org.gnome.DisplayManager # dbus: talk bus=system name=org.freedesktop.login1 label=systemd-logind - - dbus send bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={ListCachedUsers,UserAdded} - peer=(name=:*, label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=accounts-daemon), + # dbus: talk bus=system name=org.freedesktop.Accounts label=accounts-daemon dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 0f9d439a..365be69d 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -58,7 +58,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/ w, owner @{run}/user/@{uid}/keyring/ rw, owner @{run}/user/@{uid}/keyring/* rw, - owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, + owner @{run}/user/@{uid}/ssh-askpass.@{rand6}/{,*} rw, @{run}/user/@{uid}/keyring/control r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7db51a66..b72a3c27 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -39,7 +39,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, - @{run}/systemd/sessions/@{int} r, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 965ce415..f4c71225 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,25 +9,38 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include include include + include + + signal (send) set=(kill) peer=loupe//bwrap, @{exec_path} mr, - @{bin}/bwrap rix, - @{lib}/glycin-loaders/*/glycin-image-rs rix, + @{bin}/bwrap rCx -> bwrap, /usr/share/glycin-loaders/{,**} r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, - owner @{user_books_dirs}/{,**} r, - owner @{user_download_dirs}/{,**} r, - owner @{user_pictures_dirs}/{,**} r, - owner @{user_torrents_dirs}/{,**} r, - owner @{user_work_dirs}/{,**} r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + + profile bwrap flags=(attach_disconnected) { + include + include + + signal (receive) set=(kill) peer=loupe, + + @{bin}/bwrap mr, + @{lib}/glycin-loaders/*/glycin-image-rs rix, + + include if exists + } include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index a3f842fd..8fca2efc 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -15,12 +15,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, - @{exec_path} mr, + @{exec_path} mr, - /{usr/,}{local/,}{s,}bin/zfs rPx, - /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/dmsetup rPUx, - @{bin}/grub-probe rPx, @{sh_path} rix, @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @@ -31,11 +27,13 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, + @{bin}/dmsetup rPUx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, @{bin}/grub-mkrelpath rPx, + @{bin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, @@ -58,36 +56,38 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/umount rPx, @{bin}/uname rix, @{bin}/which{.debianutils,} rix, - /etc/grub.d/{**,} rix, + @{bin}/zfs rPx, + @{bin}/zpool rPx, + /etc/grub.d/{,**} rix, - @{lib}/gconv/gconv-modules r, - @{lib}/gconv/gconv-modules.d/{,gconv-modules-extra.conf} r, + @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, - /boot/{**,} r, - /boot/grub/{**,} rw, + /usr/share/grub/{,**} r, + /usr/share/terminfo/** r, /etc/default/grub r, /etc/default/grub-btrfs/config r, - /etc/default/grub.d/{*,} r, - - /usr/share/grub/{**,} r, - /usr/share/terminfo/** r, - - /.zfs/snapshot/*/boot/ r, - /.zfs/snapshot/*/etc/{machine-id,} r, - /.zfs/snapshot/*/etc/fstab r, - /.zfs/snapshot/*/{usr/,}lib/os-release r, + /etc/default/grub.d/{,*} r, / r, - owner /tmp/** rw, + /.zfs/snapshot/*/@{lib}/os-release r, + /.zfs/snapshot/*/boot/ r, + /.zfs/snapshot/*/etc/ r, + /.zfs/snapshot/*/etc/fstab r, + /.zfs/snapshot/*/etc/machine-id r, + + /boot/{,**} r, + /boot/grub/{,**} rw, + + # owner /tmp/** rw, + + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, - @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 134b8d0f..37bf8c04 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -15,7 +15,7 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{md5}/ r, /{run,var}/log/journal/@{md5}/user-@{uid}.journal r, - /{run,var}/log/journal/@{md5}/user-@{uid}@@{uuid}.journal r, + /{run,var}/log/journal/@{md5}/user-@{uid}@@{hex}.journal r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f11edac7..250e18e3 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -103,6 +103,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w, owner @{user_cache_dirs}/ksvg-elements* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, diff --git a/apparmor.d/groups/ssh/gcr-ssh-agent b/apparmor.d/groups/ssh/gcr-ssh-agent index 5c5722ee..c2d7acda 100644 --- a/apparmor.d/groups/ssh/gcr-ssh-agent +++ b/apparmor.d/groups/ssh/gcr-ssh-agent @@ -14,5 +14,12 @@ profile gcr-ssh-agent @{exec_path} { @{exec_path} mr, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, + + owner @{HOME}/@{XDG_SSH_DIR}/* r, + + owner @{run}/user/@{uid}/ssh-askpass.@{rand6}/{,*} rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 483c82b5..5490b0da 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -7,8 +7,10 @@ abi , include @{exec_path} = @{bin}/systemd-dissect -profile systemd-dissect @{exec_path} { +profile systemd-dissect @{exec_path} flags=(attach_disconnected) { include + include + include capability dac_read_search, capability sys_admin, @@ -16,6 +18,9 @@ profile systemd-dissect @{exec_path} { mount options=(rw, rslave) -> /, mount options=(rw, nodev) -> /mnt/*/, + mount -> /tmp/dissect-@{rand6}/, + + signal (send) set=(cont) peer=child-pager, @{exec_path} mr, @@ -30,13 +35,14 @@ profile systemd-dissect @{exec_path} { @{user_projects_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - owner /tmp/dissect-*/{,**} rw, + owner /tmp/dissect-@{rand6}/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/{,**} r, @{sys}/kernel/uevent_seqnum r, @{PROC}/@{pids}/cgroup r, + /dev/btrfs-control rw, /dev/loop-control rwk, /dev/loop* rwk, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 00870bbe..df840052 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -16,6 +16,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, + signal (receive) set=(term cont) peer=*//systemctl, signal (receive) set=(term cont) peer=default, signal (receive) set=(term cont) peer=logrotate, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 212389a6..5ada34c1 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -18,6 +18,8 @@ profile list-oem-metapackages @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rix, + @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + /etc/machine-id r, @{sys}/devices/ r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 305ed24c..e5275391 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -50,6 +50,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, + @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index a959a5f4..189d5842 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -67,9 +67,6 @@ profile update-notifier @{exec_path} { /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/update-notifier/{,**} r, - /usr/share/X11/{,**} r, - - /etc/machine-id r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/update-notifier/user.d/ r, @@ -89,6 +86,8 @@ profile update-notifier @{exec_path} { include include + unix (bind) type=stream addr=@@{hex}/bus/systemctl/system, + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnitFileState diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 1ef1fe4f..70e9ae6a 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -17,10 +17,11 @@ profile adduser @{exec_path} { capability chown, capability dac_override, capability dac_read_search, - capability setuid, - capability setgid, capability fowner, capability fsetid, + capability setgid, + capability setuid, + capability sys_admin, @{exec_path} r, @{bin}/perl r, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 79697494..6f398fbf 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -22,7 +22,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/bolt interface=org.freedesktop.bolt1.Manager member=ListDevices - peer=(name=:*, label=kded5), + peer=(name=:*, label=kded), dbus (send,receive) bus=system path=/org/freedesktop/bolt{,/**} interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 960797ea..84cb7275 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -46,7 +46,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(int) peer=flatpak-portal, @{bin}/** rmix, - @{lib}/kf5/kioslave5 rPx, @{lib}/** rmix, /app/** rmix, /var/lib/flatpak/app/*/**/@{bin}/** rmix, @@ -57,6 +56,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, + @{lib}/kf5/kioslave5 rPx, + @{lib}/kf6/kioworker rPx, + /var/lib/flatpak/app/{,**} r, /usr/share/flatpak/triggers/* rix, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index af0934e6..f3dd9094 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -53,6 +53,7 @@ profile mkinitramfs @{exec_path} { @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, + @{lib}/dracut/dracut-install rix, @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 885019ba..aa7ec7cf 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/scrcpy profile scrcpy @{exec_path} { include + include + include include network inet stream, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 7f72e2eb..515b6c85 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -46,7 +46,7 @@ profile snap @{exec_path} { @{bin}/mount rix, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/systemctl rPx -> child-systemctl, + @{bin}/systemctl rCx -> systemctl, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @@ -58,8 +58,9 @@ profile snap @{exec_path} { /var/cache/snapd/commands.db rwk, /var/cache/snapd/names r, - /snap/{,**} rw, @{HOME}/snap/{,**} rw, + /snap/{,**} rw, + /var/lib/gdm{,3}/snap/{,**} rw, owner /tmp/snapd-auto-import-mount-@{int}/ rw, @@ -104,5 +105,12 @@ profile snap @{exec_path} { include if exists } + profile systemctl { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index 94cb44d5..86dbe1ab 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -14,7 +14,7 @@ profile snap-failure @{exec_path} { @{exec_path} mr, - @{bin}/systemctl rPx -> child-systemctl, + @{bin}/systemctl rCx -> systemctl, @{lib_dirs}/snapd/snapd rPx, /var/lib/snapd/sequence/snapd.json r, @@ -23,5 +23,12 @@ profile snap-failure @{exec_path} { @{PROC}/cmdline r, + profile systemctl { + include + include + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index a3ccf1d2..096be4ff 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -33,6 +33,8 @@ profile terminator @{exec_path} flags=(attach_disconnected) { # The shell is not confined on purpose. @{bin}/@{shells} rUx, + @{open_path} rPx, + owner @{user_config_dirs}/terminator/{,**} rw, owner /tmp/#@{int} rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 4bae15a7..890cadfe 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -84,7 +84,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{bin}/ntfsfix rPx, @{bin}/sfdisk rPx, @{bin}/sgdisk rPx, - @{bin}/systemctl rPx -> child-systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, /etc/udisks2/{,**} r, @@ -138,5 +138,12 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /dev/loop-control rw, /dev/null.@{int} rw, + profile systemctl { + include + include + + include if exists + } + include if exists }