diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 60a75b3c..ae17fc67 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -90,6 +90,7 @@ /usr/share/chromium/extensions/{,**} r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/libdrm/*.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index 171e4f80..0127ef4c 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,7 +10,7 @@ owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r, owner @{user_cache_dirs}/thumbnails/ r, - owner @{user_cache_dirs}/thumbnails/{large,normal}/ r, - owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png r, + owner @{user_cache_dirs}/thumbnails/{*large,normal}/ r, + owner @{user_cache_dirs}/thumbnails/{*large,normal}/[a-f0-9]*.png r, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 42d15afb..c37666ce 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -40,16 +40,15 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ r, @{libexec}/* rPUx, - /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}bin/[a-z0-9]* rPUx, - /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, - # Xubuntu - /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, - - /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, - /usr/share/org.gnome.Characters/org.gnome.Characters rPx, + /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, + /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, + /{usr/,}lib/ibus/ibus-* rPx, + /{usr/,}lib/telepathy/mission-control-5 rPx, /usr/share/gnome-documents/org.gnome.Documents rPx, + /usr/share/org.gnome.Characters/org.gnome.Characters rPx, + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index bf841cc8..e7f532e0 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -32,7 +32,9 @@ profile child-pager { owner @{HOME}/ r, owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/[0-9]*/* r, owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, owner @{user_state_dirs}/lesshs* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index e3bf93a6..569a99e5 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -61,7 +61,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk, - @{run}/udev/data/c236:[0-9]* r, + @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c81:[0-9]* r, # For video4linux diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 1ee88592..0c9212bb 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -33,14 +33,15 @@ profile xdg-settings @{exec_path} { /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xprop rPx, + /usr/share/applications/{,*} r, /usr/share/terminfo/x/xterm-256color r, - /usr/share/applications/ r, /usr/share/ubuntu/applications/ r, /etc/xdg/xfce4/helpers.rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/flatpak/exports/share/applications/{,*} r, /var/lib/snapd/desktop/applications/{,*} r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index b2df7653..6b4e5f3a 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -24,5 +24,8 @@ profile xhost @{exec_path} { /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 066d8a7c..46b78a42 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -16,6 +16,7 @@ profile xrdb @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, + /{usr/,}bin/cpp rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix, @@ -27,7 +28,6 @@ profile xrdb @{exec_path} { owner @{HOME}/.Xresources r, owner @{user_config_dirs}/.Xresources r, owner @{user_config_dirs}/Xresources/.Xresources r, - # If the .Xresources file includes some additional files owner @{user_config_dirs}/Xresources/* r, owner /tmp/xauth-[0-9]*-_[0-9] r, @@ -37,6 +37,8 @@ profile xrdb @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 6f7ce5e5..25ee9180 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -10,9 +10,13 @@ include profile gnome-characters @{exec_path} { include include + include + include include - include - include + include + include + include + include @{exec_path} mr, @@ -22,6 +26,7 @@ profile gnome-characters @{exec_path} { /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, + /usr/share/libdrm/*.ids r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index 4721145f..6e99f16c 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -20,6 +20,8 @@ profile gnome-contacts-search-provider @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/mime.cache r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + owner @{user_share_dirs}/mime/mime.cache r, owner @{user_share_dirs}/folks/relationships.ini r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 7a586d8b..d4fd8857 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -153,8 +153,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci* r, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c235:[0-9]* r, - @{run}/udev/data/c236:[0-9]* r, + @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/udev/data/n[0-9]* r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index cbf0cb9b..ff55a217 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -166,6 +166,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/parcellite rPUx, /{usr/,}bin/pkcs11-register rPx, /{usr/,}bin/snap rPUx, + /{usr/,}bin/snapshot-detect rPUx, /{usr/,}bin/spice-vdagent rPx, /{usr/,}bin/start-pulseaudio-x11 rPx, /{usr/,}bin/ubuntu-report rPx, @@ -176,6 +177,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, /{usr/,}lib/caribou/caribou rPUx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, + /{usr/,}lib/xapps/sn-watcher/* rPUx, /{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx, @{libexec}/deja-dup/deja-dup-monitor rPUx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @@ -209,8 +211,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.local/share/session_migration-* r, /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/flatpak/exports/share/applications/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, owner /tmp/dirs-?????? rw, @@ -224,6 +227,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.locale r, owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/defaults.list r, + owner @{user_share_dirs}/applications/mimeapps.list r, owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw, owner @{user_share_dirs}/mime/mime.cache r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index a192436c..21263d15 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -43,6 +43,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/firejail rPUx, + /{usr/,}bin/bwrap rPUx, /{usr/,}lib/gio-launch-desktop rPx -> child-open, /usr/share/*ubuntu/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index c8b9e090..c1a6cc53 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -86,6 +86,7 @@ profile tracker-extract @{exec_path} { /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/snapd/desktop/applications/*.desktop r, # Allow to search user files @@ -101,8 +102,7 @@ profile tracker-extract @{exec_path} { @{run}/blkid/blkid.tab r, - @{run}/udev/data/c235:* r, - @{run}/udev/data/c236:* r, + @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 5195c203..f8f1ed2b 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -33,6 +33,9 @@ profile gpg @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + owner @{HOME}/.var/app/**/gnupg*/** rw, + owner @{HOME}/.var/app/**/gnupg*/** rwkl -> @{HOME}/.var/app/**/gnupg*/**, + owner @{user_projects_dirs}/**/gnupg/ rw, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index ab5f2ef8..404794d9 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -26,6 +26,7 @@ profile gpgconf @{exec_path} { /{usr/,}bin/pinentry-* rPx, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, owner @{PROC}/@{pid}/task/@{tid}/stat rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index e03ce349..45b73416 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -55,6 +55,8 @@ profile gvfsd-smb-browse @{exec_path} { /etc/samba/smb.conf r, + /var/cache/samba/ rw, + owner @{run}/samba/ rw, owner @{run}/samba/gencache.tdb rwk, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index ce1ce0db..7595cb1f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,9 +33,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { /etc/systemd/coredump.conf r, - /var/lib/systemd/coredump/ r, - owner /var/lib/systemd/coredump/#[0-9]* rwl, - owner /var/lib/systemd/coredump/core.*.zst rwl, + /var/lib/systemd/coredump/{,**} rwl, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index f32b0a90..80da50b7 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -21,8 +21,9 @@ profile systemd-sleep @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/nvidia-sleep.sh rix, - /{usr/,}lib/systemd/system-sleep/nvidia rix, /{usr/,}lib/systemd/system-sleep/hdparm rix, + /{usr/,}lib/systemd/system-sleep/nvidia rix, + /{usr/,}lib/systemd/system-sleep/sysstat.sleep rPUx, /{usr/,}lib/systemd/system-sleep/unattended-upgrades rix, /etc/systemd/sleep.conf r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index de728ccf..09e19c81 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -206,7 +206,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/mm/hugepages/{,**} r, @{sys}/kernel/security/apparmor/profiles r, - @{sys}/module/kvm_intel/parameters/nested r, + @{sys}/module/kvm_*/parameters/* r, @{sys}/module/vhost/parameters/max_mem_regions r, @{sys}/fs/cgroup/ r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 5ff00d20..be8b6cb5 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -28,6 +28,8 @@ profile aa-notify @{exec_path} { /usr/share/terminfo/d/dumb r, /var/log/audit/audit.log r, + owner @{HOME}/.terminfo/[0-9]*/dumb r, + owner /tmp/[a-z0-9]* rw, owner /tmp/apparmor-bugreport-*.txt rw, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 5c2975c7..7f649e24 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -41,7 +41,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, - @{run}/udev/data/c239:[0-9]* r, + @{run}/udev/data/c23[0-9]:[0-9]* r, @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 12b660b6..24df2cc8 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -94,9 +94,10 @@ profile htop @{exec_path} { @{sys}/devices/*/name r, @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r, + @{sys}/devices/platform/*/i2c-[0-9]*/name r, @{sys}/devices/system/cpu/cpu[0-9]*/online r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_{cur,min,max}_freq r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r, @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r, @{sys}/kernel/mm/hugepages/ r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index caf3238c..1cc19239 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -12,6 +12,7 @@ include profile kmod @{exec_path} flags=(attach_disconnected) { include include + include include capability dac_override, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index e64ccd29..f6edbade 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -72,5 +72,8 @@ profile pkexec @{exec_path} flags=(complain) { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 3ec18665..76652df4 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -45,16 +45,19 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, @{sys}/bus/ r, + @{sys}/bus/platform/devices/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/power_supply/*/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, @{sys}/devices/system/cpu/*_pstate/status r, + @{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw, - @{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw, + @{sys}/firmware/acpi/platform_profile* r, + @{sys}/firmware/acpi/pm_profile* r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index e0654836..5a5859bc 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -20,7 +20,7 @@ profile run-parts @{exec_path} { # Crontrab /etc/cron.{hourly,daily,weekly,monthly}/ r, - /etc/cron.{hourly,daily,weekly,monthly}/0anacron rPx, + /etc/cron.{hourly,daily,weekly,monthly}/0anacron rPUx, /etc/cron.{hourly,daily,weekly,monthly}/apport rPx, /etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx, /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index af1531bb..f63cf5dd 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -49,6 +49,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r, @{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw, + @{PROC}/sys/net/ipv[4,6]/conf/wlo*/drop_* rw, @{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw, /dev/rfkill rw,