diff --git a/apparmor.d/abstractions/qt5.d/complete b/apparmor.d/abstractions/qt5.d/complete index 655abaeb..fadb3993 100644 --- a/apparmor.d/abstractions/qt5.d/complete +++ b/apparmor.d/abstractions/qt5.d/complete @@ -3,10 +3,9 @@ # SPDX-License-Identifier: GPL-2.0-only /usr/share/qt{,5,6}/qtlogging.ini r, + /usr/share/qt{,5,6}/resources/*.pak r, /usr/share/qt{,5,6}/translations/*.qm r, /usr/share/qt{,5,6}/translations/qtwebengine_locales/*.pak r, - /usr/share/qt{,5,6}/resources/*.pak r, - - # Qt5CT and Qt6CT support and integration with others DE /usr/share/qt{,5,6}ct/{,**} r, + owner @{user_config_dirs}/qt{,5,6}ct/{,**} r, diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 9eb1262d..3ff81e66 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,26 +8,26 @@ owner @{HOME}/ r, owner @{MOUNTS}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r, - owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rk, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rk, + owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} rk, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} rk, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rk, - owner @{user_books_dirs}/{,**} r, - owner @{user_documents_dirs}/{,**} r, - owner @{user_download_dirs}/{,**} r, - owner @{user_games_dirs}/{,**} r, - owner @{user_music_dirs}/{,**} r, - owner @{user_pictures_dirs}/{,**} r, - owner @{user_projects_dirs}/{,**} r, - owner @{user_publicshare_dirs}/{,**} r, - owner @{user_sync_dirs}/{,**} r, - owner @{user_templates_dirs}/{,**} r, - owner @{user_torrents_dirs}/{,**} r, - owner @{user_videos_dirs}/{,**} r, - owner @{user_vm_dirs}/{,**} r, - owner @{user_work_dirs}/{,**} r, + owner @{user_books_dirs}/{,**} rk, + owner @{user_documents_dirs}/{,**} rk, + owner @{user_download_dirs}/{,**} rk, + owner @{user_games_dirs}/{,**} rk, + owner @{user_music_dirs}/{,**} rk, + owner @{user_pictures_dirs}/{,**} rk, + owner @{user_projects_dirs}/{,**} rk, + owner @{user_publicshare_dirs}/{,**} rk, + owner @{user_sync_dirs}/{,**} rk, + owner @{user_templates_dirs}/{,**} rk, + owner @{user_torrents_dirs}/{,**} rk, + owner @{user_videos_dirs}/{,**} rk, + owner @{user_vm_dirs}/{,**} rk, + owner @{user_work_dirs}/{,**} rk, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index 78e19897..e672c41b 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -26,8 +26,8 @@ profile dpkg-split @{exec_path} { /var/cache/apt/archives/*.deb r, + @{user_pkg_dirs}/** r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner @{user_pkg_dirs}/** r, include if exists } diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 90731803..e5c1d7ea 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -17,6 +17,7 @@ include profile dbus-session flags=(attach_disconnected) { include include + include include unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), @@ -62,7 +63,8 @@ profile dbus-session flags=(attach_disconnected) { owner @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/mounts r, + /dev/ptmx rw, /dev/tty@{int} rw, - + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index c941e29a..bb37fa90 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -53,16 +53,19 @@ profile dbus-system flags=(attach_disconnected) { @{user_share_dirs}/icc/ r, @{user_share_dirs}/icc/edid-@{hex32}.icc r, - @{run}/systemd/users/@{int} r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/inhibit/*.ref rw, + @{run}/systemd/notify w, + @{run}/systemd/sessions/*.ref rw, + @{run}/systemd/users/@{int} r, @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/attr/apparmor/current r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8e2c7c67..f4db9309 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -268,6 +268,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, + owner @{user_cache_dirs}/gnome-software/icons/{,**} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 84c7989d..85943afa 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -19,9 +19,14 @@ profile dmesg @{exec_path} { @{sh_path} rix, @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + + /usr/share/terminfo/** r, + + owner @{PROC}/sys/kernel/pid_max r, /dev/kmsg r, - /usr/share/terminfo/** r, deny /{usr/,}local/bin/ r, deny @{bin}/{,*/} r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 28c44f93..853416c3 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -30,6 +30,7 @@ profile landscape-sysinfo @{exec_path} { @{run}/utmp rwk, + @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 80eadfcd..3a4f535b 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -153,14 +153,15 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{sys}/kernel/security/apparmor/features/ r, + @{sys}/kernel/security/apparmor/features/{,*/} r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/stat r, @{PROC}/cgroups r, @{PROC}/cmdline r, @{PROC}/sys/kernel/seccomp/actions_avail r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 1ae0444f..e33e647f 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -1,5 +1,4 @@ # apparmor.d - Full set of apparmor profiles -# Extended system directories definition # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index e029eae1..7476a167 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -1,5 +1,4 @@ # apparmor.d - Full set of apparmor profiles -# Extended user XDG directories definition # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only