diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 646f6473..1ff09fc6 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -17,6 +17,7 @@ profile ibus-memconf @{exec_path} { @{exec_path} mr, /etc/machine-id r, + /var/lib/dbus/machine-id r, /var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 987789f6..896777d9 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -33,7 +33,7 @@ profile pipewire-media-session @{exec_path} { /usr/share/alsa-card-profile/{,**} r, /usr/share/pipewire/*.conf r, /usr/share/pipewire/media-session.d/{,**} r, - /usr/share/spa-*/bluez[0-9]*/{,*} r, + /usr/share/spa-*/bluez@{int}/{,*} r, /etc/pipewire/*.conf r, /etc/pipewire/media-session.d/*.conf r, @@ -48,7 +48,7 @@ profile pipewire-media-session @{exec_path} { owner @{user_config_dirs}/pipewire/** rw, owner @{user_config_dirs}/pulse/ rw, - owner @{run}/user/@{uid}/pipewire-[0-9]* rw, + owner @{run}/user/@{uid}/pipewire-@{int} rw, @{run}/udev/data/c116:@{int} r, # for ALSA diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index b4f6986e..93600815 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -20,8 +20,7 @@ profile pulseaudio @{exec_path} { include include include - include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 96b003a1..108d1986 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -82,7 +82,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner /tmp/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - owner @{run}/user/@{uid}/pipewire-[0-9]* rw, + owner @{run}/user/@{uid}/pipewire-@{int} rw, @{PROC}/ r, @{PROC}/*/ r, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index aee21cf5..f77379af 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -33,7 +33,7 @@ profile epiphany-search-provider @{exec_path} { owner @{user_share_dirs}/epiphany/{,**} rwk, owner /tmp/ContentRuleList@{rand6} rw, - owner /tmp/Serialized* rw, + owner /tmp/Serialized* rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index b63e8ef7..d3eee909 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -87,7 +87,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.pam_environment r, owner @{run}/systemd/seats/seat@{int} r, - owner @{run}/user/@{uid}/keyring/control rw, + owner @{run}/user/@{uid}/keyring/control rw, @{run}/cockpit/active.motd r, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index ce332f5b..f3faef85 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -72,7 +72,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - /usr/share/zoneinfo/{,**} r, /etc/cups/client.conf r, /etc/machine-info r, @@ -111,7 +110,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w, - owner @{run}/user/@{uid}/pipewire-[0-9]* rw, + owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 0c18df5b..d1f7fb82 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -115,8 +115,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, + /var/lib/gdm{3,}/.cache/gdm/Xauthority r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, - /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/.config/gnome-session/ rw, /var/lib/gdm{3,}/.config/gnome-session/saved-session/ rw, /var/lib/gdm{3,}/.local/share/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b5ed5de7..82fd7d15 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -249,7 +249,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk, - /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, + /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, /var/lib/gdm{3,}/.cache/gstreamer-@{int}/ rw, /var/lib/gdm{3,}/.cache/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, /var/lib/gdm{3,}/.cache/libgweather/ r, diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount index 96050780..f7c56b06 100644 --- a/apparmor.d/groups/grub/grub-mount +++ b/apparmor.d/groups/grub/grub-mount @@ -15,7 +15,7 @@ profile grub-mount @{exec_path} { capability sys_admin, - mount fstype=fuse.grub-mount -> /var/lib/os-prober/mount/, + mount fstype=fuse.grub-mount -> /var/lib/os-prober/mount/, umount /var/lib/os-prober/mount/, @{exec_path} mr, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 3d2f2087..4d3a5387 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -16,7 +16,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { @{lib}/netplan/generate rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rCx -> systemctl, /usr/share/netplan/{,**} r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index aafe57de..b5ff71af 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -105,7 +105,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/sys/kernel/ngroups_max r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/systemd/systemd-user-generators-flatpak b/apparmor.d/groups/systemd/systemd-user-generators-flatpak deleted file mode 100644 index 2f813858..00000000 --- a/apparmor.d/groups/systemd/systemd-user-generators-flatpak +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/user-environment-generators/60-flatpak -profile systemd-generator-user-environment-flatpak @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index bd51c608..ed104af7 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -92,7 +92,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner /tmp/@{name}/* rwk, owner /tmp/Temp-@{uuid}/ rw, owner "/tmp/Tor Project*/" rw, - owner "/tmp/Tor Project*/**" rwk, + owner "/tmp/Tor Project*/**" rwk, owner "/tmp/Tor Project*" rwk, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 12b91dfd..ba2b0ec7 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -18,7 +18,7 @@ profile gsettings @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 50fae276..7aa742be 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -35,8 +35,8 @@ profile ip @{exec_path} flags=(attach_disconnected) { /etc/iproute2/{,**} r, /etc/netns/*/ r, - owner @{run}/netns/ rw, @{run}/netns/* rw, + owner @{run}/netns/ rw, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/net/dev_mcast r, diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 6cedbb29..12e93f6d 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -60,7 +60,6 @@ profile mount-nfs @{exec_path} flags=(complain) { owner @{run}/mount/utab{,.*} rw, owner @{run}/rpc.statd.lock wk, - @{PROC}/filesystems r, owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e3d29613..c176a3b6 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -7,9 +7,6 @@ abi , include -@{FIREFOX_BIN} = @{lib}/firefox{,-esr}/firefox -@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox - @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include @@ -20,25 +17,17 @@ profile qbittorrent @{exec_path} { include include include - include - include + include include - include - include - include + include include - include include - include include include include include - include include include - include - include signal send set=(term, kill) peer=qbittorrent//python3, @@ -82,21 +71,19 @@ profile qbittorrent @{exec_path} { @{bin}/python3.@{int} rCx -> python, # For "search engine" # Allowed apps to open - @{bin}/spacefm rPx, - @{bin}/smplayer rPx, - @{bin}/vlc rPx, - @{bin}/mpv rPx, - @{bin}/geany rPx, - @{bin}/viewnior rPUx, - @{bin}/qpdfview rPx, @{bin}/ebook-viewer rPx, + @{bin}/geany rPx, + @{bin}/mpv rPx, @{bin}/nautilus rPx, - @{FIREFOX_BIN} rPx, + @{bin}/qpdfview rPx, + @{bin}/smplayer rPx, + @{bin}/spacefm rPx, + @{bin}/viewnior rPUx, + @{bin}/vlc rPx, + @{browsers_path} rPx, /usr/share/GeoIP/GeoIP.dat r, /usr/share/gvfs/remote-volume-monitors/{,*} r, - /usr/share/hwdata/*.ids r, - /usr/share/qt5ct/** r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 396bfb7f..62d2c843 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -127,7 +127,7 @@ profile snapd @{exec_path} { /tmp/read-file[0-9]*/{,**} rw, /boot/ r, - /boot/grub/grubenv r, + /boot/grub/grubenv r, / r, /home/ r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 37bc28e8..bfe5e5c2 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -40,6 +40,7 @@ profile spice-vdagent @{exec_path} { /etc/pipewire/client.conf r, + /var/lib/gdm{3,}/.config/user-dirs.dirs r, /var/lib/nscd/passwd r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index cb87a0e8..a26ad0ce 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -36,9 +36,9 @@ profile update-ca-certificates @{exec_path} { @{bin}/wc rix, @{lib}/ca-certificates/update.d/ r, - @{lib}/ca-certificates/update.d/* rix, + @{lib}/ca-certificates/update.d/* rix, /etc/ca-certificates/update.d/ r, - /etc/ca-certificates/update.d/* rix, + /etc/ca-certificates/update.d/* rix, /usr/share/p11-kit/modules/{,*} r, @@ -56,8 +56,6 @@ profile update-ca-certificates @{exec_path} { /tmp/ r, owner /tmp/ca-certificates{,.crt}.tmp.* rw, - @{PROC}/filesystems r, - /dev/tty rw, include if exists diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 1d7e33ca..85c11563 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -38,7 +38,7 @@ profile wireplumber @{exec_path} { /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, /usr/share/alsa-card-profile/{,**} r, - /usr/share/spa-*/bluez[0-9]*/{,*} r, + /usr/share/spa-*/bluez@{int}/{,*} r, /usr/share/wireplumber/{,**} r, /etc/machine-id r,