diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app index ad24eac1..ff37cf71 100644 --- a/apparmor.d/abstractions/bwrap-app +++ b/apparmor.d/abstractions/bwrap-app @@ -4,20 +4,25 @@ # Common rules for applications sandboxed using bwrap. +# This abstraction is wide on purpose. It is meant to be used by sandbox +# applications (bwrap) that have no way to restrict access depending of the +# application beeing confined. + include include include include include + include include include include include include - include include include include + include include include include @@ -59,37 +64,28 @@ owner @{run}/user/@{uid}/orcexec.@{rand6} rwm, @{sys}/ r, + @{sys}/block/ r, @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/{class,numa_node,local_cpus,irq,carrier} r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/config r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/power_supply/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/system/** r, - @{sys}/devices/system/cpu/** r, - @{sys}/devices/virtual/dmi/id/{,**} r, - @{sys}/devices/virtual/net/{,**} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.* r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/** r, + + @{sys}/fs/cgroup/user.slice/* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/* r, @{PROC}/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/task/@{tid}/stat r, + @{PROC}/bus/pci/devices r, @{PROC}/driver/** r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/osrelease r, @@ -100,6 +96,7 @@ owner @{PROC}/@{pid}/comm rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/@{int} rw, + owner @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 79ba7491..9ab3e8ab 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -142,6 +142,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile editor flags=(complain) { include + include include @{bin}/{,ba,da}sh rix, @@ -156,8 +157,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.selected_editor r, - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, } diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 707c9651..76969fca 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -41,7 +41,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/ r, - @{bin}/[a-z0-9]* rPUx, + @{bin}/* rPUx, @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rix, # See #74, #80 & #235 @{lib}/@{multiarch}/tumbler-1/tumblerd rPUx, @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index b8f65974..5fbc6fae 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -35,6 +35,7 @@ profile crontab @{exec_path} { profile editor { include include + include capability fsetid, @@ -49,9 +50,6 @@ profile crontab @{exec_path} { /etc/vim/{,**} r, owner @{HOME}/.viminfo{,.tmp} rw, - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, - /tmp/ r, owner /tmp/crontab.*/crontab rw, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index b2965b52..45d0aa0a 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -10,6 +10,8 @@ include profile iio-sensor-proxy @{exec_path} { include + capability net_admin, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 3a42071d..3ac86c48 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -8,20 +8,17 @@ abi , include @{exec_path} = @{bin}/gio -@{exec_path} += @{bin}/gio-launch-desktop +@{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop @{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include include - include - include @{exec_path} mr, owner @{HOME}/{,**} rw, - owner /tmp/wl-copy-buffer-*/{,**} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index b5be0388..cb836f40 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -2,9 +2,10 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# TODO: GNOME JavaScript interpreter. It's used to run extensions. Therefore, -# by default, some extension are confined under this profile. The resulting profile -# is quite broard. The architecture of this needs to be rethinked. +# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. Therefore, by default, some extension are +# confined under this profile. The resulting profile is quite broad. +# This architecture needs to be rethinked. abi , @@ -19,15 +20,12 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include include include include include include - include network netlink raw, @@ -72,9 +70,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { peer=(name=:*, label=gnome-shell), @{exec_path} mr, - @{bin}/ r, - @{bin}/[a-z0-9]* rPUx, - @{lib}/** rPUx, + + @{bin}/ r, + @{bin}/* rPUx, + @{lib}/** rPUx, /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, @@ -86,7 +85,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, @@ -101,8 +99,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 7c1a8fb1..c49e438f 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -66,8 +66,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.local/ w, owner @{user_share_dirs}/ w, - owner @{HOME}/.xsession-errors w, - owner @{run}/user/@{uid}/keyring/ rw, owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 71aeffdb..5fc8cf02 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -35,7 +35,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -43,8 +42,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include @@ -57,8 +55,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include - include - include capability sys_nice, capability sys_ptrace, @@ -68,6 +64,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, network netlink raw, + network unix stream, ptrace (read), @@ -336,12 +333,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int} rw, owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, - owner /tmp/.X[0-9]-lock rw, owner /tmp/[0-9A-Z]*.shell-extension.zip rw, owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 7cee1b52..80705fc6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -41,12 +41,12 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_share_dirs}/applications/ rw, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, - @{run}/mount/utab r, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index da865f75..b3e206a1 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -21,11 +21,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -91,10 +88,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/icons/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/sounds/freedesktop/stereo/*.oga r, - /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, @@ -105,12 +99,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/pulse/ rw, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/event-sound-cache.tdb.* rwk, owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 7a5d752a..225fe92e 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -35,7 +35,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { @{lib}/gsd-printer rPx, /etc/cups/client.conf r, - /etc/machine-id r, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 7659da3e..3c14484e 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -30,8 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/machine-id r, - /var/lib/gdm{3,}/.local/share/sounds/ rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index ff3a4e8d..6e326407 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -16,10 +16,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -38,16 +36,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/libwacom/{,*} r, - /usr/share/X11/xkb/** r, - - /etc/machine-id r, - - # freedesktop.org-strict - /usr/share/icons/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/mime/mime.cache r, - - owner @{run}/user/@{uid}/gdm/Xauthority r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index d4dfda9a..33e150d2 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -22,11 +22,9 @@ profile gsd-xsettings @{exec_path} { include include include - include - include + include include include - include network inet stream, network inet6 stream, @@ -68,7 +66,6 @@ profile gsd-xsettings @{exec_path} { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/libdrm/*.ids r, /etc/X11/Xsession.options r, @@ -81,10 +78,8 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 7d351c5f..9256d197 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -13,14 +13,11 @@ profile kgx @{exec_path} { include include include - include - include - include + include include include include include - include capability sys_ptrace, @@ -40,8 +37,6 @@ profile kgx @{exec_path} { @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, @{lib}/gio-launch-desktop rPx -> child-open, - /usr/share/themes/{,**} r, - owner /tmp/#@{int} rw, @{PROC}/ r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index b8128b75..fcba0883 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -54,5 +54,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/media@{int} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6d3e5f4c..262172ad 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,6 +22,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + signal (receive) set=(term, kill) peer=gdm, signal (receive) set=(hup) peer=gdm-session-worker, @@ -60,9 +62,10 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, /var/lib/gdm{3,}/ r, + /var/lib/gdm{3,}/.cache/gstreamer-*/registry.*.bin r, /var/lib/gdm{3,}/.cache/tracker3/{,tracker3/}files/{,**} rwk, - /var/lib/gdm{3,}/.local/share/applications/ r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/.local/share/applications/ r, /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/lightdm/.config/dconf/user r, @@ -83,13 +86,18 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab r, @{run}/mount/utab r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, + @{PROC}/@{pid}/cmdline r, @{PROC}/sys/fs/fanotify/max_user_marks r, @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - # file_inherit + /dev/media@{int} rw, + /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index e72e78c1..538d71ce 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -7,14 +7,20 @@ abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} { +profile netplan.script @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - @{lib}exec/netplan/generate rix, + @{lib}/netplan/generate rix, /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, + + @{run}/systemd/system/ r, + @{run}/systemd/system/systemd-networkd.service.wants/ r, + @{run}/udev/rules.d/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 5320885c..09ff5950 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -23,7 +23,7 @@ profile ssh-keygen @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, /dev/tty@{int} rw, - /dev/ttyS[0-9]* rw, + /dev/ttyS@{int} rw, include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 5bc5e725..f2f9fe3a 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -115,7 +115,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, /dev/tty@{int} rw, - /dev/ttyS[0-9]* rw, + /dev/ttyS@{int} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index c762acd6..927b67fb 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -137,16 +137,17 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, - @{PROC}/1/cmdline r, - @{PROC}/pressure/* r, - @{PROC}/swaps r, - @{PROC}/sysvipc/{shm,sem,msg} r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, + @{PROC}/1/cmdline r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sysvipc/{shm,sem,msg} r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) diff --git a/apparmor.d/profiles-a-f/element b/apparmor.d/profiles-a-f/element index 1fac85f9..871b33fe 100644 --- a/apparmor.d/profiles-a-f/element +++ b/apparmor.d/profiles-a-f/element @@ -35,6 +35,7 @@ profile element @{exec_path} { @{exec_path} mr, + @{bin}/{,ba,da}sh r, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @{lib}/electron@{int}/electron rix, @@ -74,9 +75,11 @@ profile element @{exec_path} { @{PROC}/ r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 98b872c2..f0e4d920 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -166,6 +166,7 @@ profile git @{exec_path} { profile editor { include + include include @{bin}/sensible-editor mr, @@ -184,8 +185,6 @@ profile git @{exec_path} { owner @{user_projects_dirs}/**/.git/[0-9]* rw, owner @{user_projects_dirs}/**/.git/*MSG rw, - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, owner @{HOME}/.selected_editor r, owner @{HOME}/.viminfo{,.tmp} rw, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index e64dfd52..8122b3ad 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -50,7 +50,15 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/stat r, @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, - /dev/char/509:@{int} w, + /dev/char/c23[4-9]:@{int} w, # For dynamic assignment range 234 to 254 + /dev/char/c24[0-9]:@{int} w, + /dev/char/c25[0-4]:@{int} w, + /dev/char/c38[4-9]:@{int} w, # For dynamic assignment range 384 to 511 + /dev/char/c39[0-9]:@{int} w, + /dev/char/c4[0-9][0-9]:@{int} w, + /dev/char/c50[0-9]:@{int} w, + /dev/char/c51[0-1]:@{int} w, + /dev/dri/ r, /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 2e69c5ab..d4491ca8 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -70,6 +70,7 @@ profile pass @{exec_path} { profile editor { include include + include @{bin}/vim{,.*} mrix, @@ -79,8 +80,6 @@ profile pass @{exec_path} { /usr/share/vim/{,**} r, /tmp/ r, - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, owner @{HOME}/.viminf{o,z}{,.tmp} rw, owner @{user_password_store_dirs}/{,**/} r, diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index 04c77139..59e2b473 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -12,5 +12,7 @@ profile pinentry-gnome3 @{exec_path} { @{exec_path} mr, + owner @{PROC}/@{pid}/cmdline r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index ccee6610..5c4483ed 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -14,11 +14,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { capability sys_nice, - dbus receive bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.login1.Session - member=Unlock - peer=(name=:*, label=systemd-logind), - @{exec_path} mr, owner @{run}/spice-vdagentd/spice-vdagent-sock r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index c10ea4b3..32588283 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -95,6 +95,7 @@ profile sudo @{exec_path} { /dev/ r, # interactive login /dev/ptmx rwk, + owner /dev/tty rwk, owner /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 600bee8e..a9ee4e6f 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -39,6 +39,7 @@ profile vipw-vigr @{exec_path} { profile editor { include + include include capability fsetid, @@ -54,9 +55,6 @@ profile vipw-vigr @{exec_path} { /etc/vim/{,**} r, owner @{HOME}/.viminfo{,.tmp} rw, - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, - /etc/{passwd,shadow,gshadow,group}.edit rw, } diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 702403a3..44ed69ac 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -76,11 +76,6 @@ profile vlc @{exec_path} { member={Get,GetAll} peer=(name=:*), - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), - dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member={LayoutUpdated,ItemsPropertiesUpdated} diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3ae1ef1f..8f6d6f53 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -29,13 +29,12 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain -apport complain +appimagelauncherd complain +apport attach_disconnected,complain +apt-helper complain at-spi-bus-launcher attach_disconnected,complain at-spi2-registryd attach_disconnected,complain atd complain -netplan complain -netplan.script complain -WebKitNetworkProcess attach_disconnected,complain atril-previewer complain auditctl attach_disconnected,complain auditd attach_disconnected,complain @@ -115,6 +114,7 @@ firefox-vaapitest complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-bwrap attach_disconnected,mediate_deleted,complain +flatpak-oci-authenticator complain flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain @@ -122,6 +122,7 @@ flatpak-validate-icon complain fsck-ext4 complain fuse-overlayfs complain fusermount complain +gcr-ssh-agent complain gdisk complain gdm-generate-config complain gdm-runtime-config complain @@ -242,6 +243,8 @@ multipathd complain nautilus complain needrestart attach_disconnected,complain needrestart-iucode-scan-versions complain +netplan complain +netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain @@ -274,6 +277,8 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent complain +qdbus complain +realmd complain remmina complain run-parts complain runuser complain @@ -314,6 +319,7 @@ swtpm_setup complain systemd-analyze complain systemd-ask-password complain systemd-backlight complain +systemd-battery-check complain systemd-binfmt attach_disconnected,complain systemd-cgls complain systemd-cgtop complain @@ -353,6 +359,7 @@ systemd-modules-load complain systemd-mount complain systemd-network-generator complain systemd-oomd attach_disconnected,complain +systemd-pcrphase complain systemd-portabled complain systemd-random-seed complain systemd-remount-fs complain @@ -386,6 +393,7 @@ update-grub complain update-secureboot-policy complain userdbctl complain utempter complain +uuidd complain virt-manager attach_disconnected,complain virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected @@ -395,6 +403,7 @@ virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain vlc complain +WebKitNetworkProcess attach_disconnected,complain wg complain wg-quick complain xdg-dbus-proxy attach_disconnected,complain @@ -403,6 +412,7 @@ xdg-desktop-portal attach_disconnected,complain xdg-desktop-portal-gnome complain xdg-desktop-portal-gtk complain xdg-desktop-portal-kde complain +xdg-desktop-portal-rewrite-launchers complain xdg-document-portal attach_disconnected,complain xdg-permission-store attach_disconnected,complain xdg-user-dirs-gtk-update complain