diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index 17c2a2b8..b53b39fe 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} { /{usr/,}bin/grep rix, /{usr/,}bin/plymouth rPx, + /etc/plymouth/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 7c0c975d..ca2b2c3a 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -12,6 +12,8 @@ profile xdg-document-portal @{exec_path} { ptrace (read) peer=xdg-desktop-portal, + unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), + @{exec_path} mr, /{usr/,}bin/flatpak rCx -> flatpak, @@ -57,6 +59,8 @@ profile xdg-document-portal @{exec_path} { capability sys_admin, capability dac_read_search, + unix (send receive) type=stream peer=(label=xdg-document-portal), + # network inet stream, # network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index b4235da9..5143346a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -12,6 +12,8 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { include unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), + unix (send,receive) type=stream addr=none peer=(label=xwayland), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index cfd45274..ab5783ba 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -10,7 +10,7 @@ include @{exec_path} = /{usr/,}bin/X @{exec_path} += /{usr/,}bin/Xorg @{exec_path} += /{usr/,}lib/Xorg{,.wrap} -@{exec_path} += /{usr/,}lib/xorg/Xorg +@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap} profile xorg @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 7f82aaa4..066d8a7c 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -18,6 +18,7 @@ profile xrdb @{exec_path} { /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix, + /usr/include/stdc-predef.h r, /etc/X11/Xresources/x11-common r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index dd354cf8..eae9f065 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -19,7 +19,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, - unix (receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 7fafce5a..dfddfb6c 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -22,9 +22,10 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/Xorg rPx, /{usr/,}bin/dbus-run-session rPx, - /etc/gdm/Xsession rPx, + /etc/gdm{3,}/Xsession rPx, + /etc/gdm{3,}/Prime/Default rix, - /etc/gdm/custom.conf r, + /etc/gdm{3,}/custom.conf r, /usr/share/gdm/gdm.schemas r, /var/lib/gdm/.cache/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index a97fdf76..09233126 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -85,17 +85,24 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/bash rUx, - /{usr/,}bin/bwrap rPUx, - /{usr/,}bin/gcm-viewer rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/openvpn rPx, - /{usr/,}bin/passwd rPx, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + + /{usr/,}bin/gcm-viewer rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/sed rix, + @{libexec}/gnome-control-center-goa-helper rPx, @{libexec}/gnome-control-center-print-renderer rPx, + /{usr/,}bin/bwrap rPUx, + /{usr/,}bin/openvpn rPx, + /{usr/,}bin/passwd rPx, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, + /usr/share/language-tools/language2locale rix, - /usr/share/backgrounds/gnome/* r, + /snap/*/[0-9]*/*.png r, + /usr/share/backgrounds/{,**} r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, @@ -106,6 +113,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, + /usr/share/ubuntu/applications/ r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, @@ -115,6 +123,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/icons/ r, owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -130,6 +139,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/sessions/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index ee7cddc9..43324261 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -32,6 +32,8 @@ profile gnome-control-center-print-renderer @{exec_path} { /var/lib/flatpak/exports/share/icons/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/lib/snapd/desktop/icons/{,**} r, + owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index fb129e7f..07a34d14 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -16,6 +16,8 @@ profile gnome-extension-ding @{exec_path} { include include + unix (send,receive) type=stream addr=none peer=(label=gnome-shell), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={ListNames,ListActivatableNames}, @@ -34,15 +36,20 @@ profile gnome-extension-ding @{exec_path} { @{exec_path} mr, - /{usr/,}bin/env rix, - /{usr/,}bin/gjs-console rix, - /{usr/,}bin/nautilus rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/env rix, + /{usr/,}bin/gjs-console rix, + /{usr/,}bin/gnome-control-center rPx, + /{usr/,}bin/nautilus rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, /usr/share/thumbnailers/{,*.thumbnailer} r, + /usr/share/ubuntu/applications/{,**} r, /usr/share/X11/{,**} r, + /etc/gnome/defaults.list r, + /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 14ba09f8..0c245569 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -43,6 +43,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/keyring/ rw, owner @{run}/user/@{uid}/keyring/* rw, owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw, + @{run}/user/@{uid}/keyring/control r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3a5e8228..01c68047 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -44,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (send), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), + unix (send,receive) type=stream addr=none peer=(label=xkbcomp), dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} interface=org.freedesktop.{DBus.Properties,login[0-9].*}, @@ -118,6 +119,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx, /opt/*/**/*.png r, + /snap/*/@{uid}/*.png r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 47b27808..a24ecee8 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -31,9 +31,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-system-monitor/{,**} r, /usr/share/pixmaps/{,**} r, + /usr/share/ubuntu/applications/{,**} r, /etc/machine-id r, + /var/lib/snapd/desktop/icons/ r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/doc/ rw, @@ -50,10 +53,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @{PROC}/ r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/net/tcp{,6} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 24b5d340..f3fa89e5 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} { include include include + include network netlink raw, @@ -38,15 +39,18 @@ profile tracker-extract @{exec_path} { /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/snapd/desktop/applications/*.desktop r, + # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner /tmp/tracker-extract-3-files.*/{,*} rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, - + + owner /tmp/tracker-extract-3-files.*/{,*} rw, + owner @{run}/user/@{uid}/bus rw, @{run}/blkid/blkid.tab r, @@ -59,6 +63,7 @@ profile tracker-extract @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + /dev/dri/card[0-9]* rw, /dev/dri/renderD128 rw, /dev/media[0-9]* r, /dev/video[0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index d4a8184e..eff61925 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -13,37 +13,39 @@ profile gvfsd-fuse @{exec_path} { include include + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), + + mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + @{exec_path} mr, /{usr/,}bin/fusermount{,3} rCx -> fusermount, - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, - @{PROC}/sys/fs/pipe-max-size r, - profile fusermount { include include - # To mount anything: - capability sys_admin, - capability dac_read_search, + capability sys_admin, # To mount anything - /{usr/,}bin/fusermount{,3} mr, + unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, + /{usr/,}bin/fusermount{,3} mr, + /etc/fuse.conf r, /etc/machine-id r, - /dev/fuse rw, - @{PROC}/@{pid}/mounts r, + /dev/fuse rw, + } include if exists diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fb036f2e..85c83573 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -30,6 +30,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, capability dac_read_search, + capability fowner, capability kill, capability net_bind_service, capability setgid, @@ -86,6 +87,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/resolvconf/resolv.conf r, @{run}/systemd/notify w, @{run}/systemd/sessions/*.ref rw, + @{run}/faillock/[a-zA-z0-9]* rwk, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index a74fc276..06d46ab6 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -10,6 +10,7 @@ include profile systemd-vconsole-setup @{exec_path} { include include + include include capability sys_ptrace, @@ -18,10 +19,11 @@ profile systemd-vconsole-setup @{exec_path} { @{exec_path} mr, - /{usr/,}bin/loadkeys rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/loadkeys rix, / r, - /usr/share/kbd/keymaps/{,**} r, /etc/vconsole.conf r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 3492a1a8..5eff6c45 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -10,6 +10,7 @@ include profile apt-esm-hook @{exec_path} { include include + include @{exec_path} mr, @@ -17,6 +18,7 @@ profile apt-esm-hook @{exec_path} { /etc/machine-id r, + /var/cache/apt/pkgcache.bin.* rw, /var/lib/ubuntu-advantage/messages/{,**} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 079a6fa4..de44a851 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} { include include include + include include include include @@ -39,6 +40,8 @@ profile check-new-release-gtk @{exec_path} { /etc/update-manager/{,**} r, + /var/lib/update-manager/{,**} rw, + owner @{user_cache_dirs}/update-manager-core/{,**} rw, owner @{run}/user/@{uid}/wayland-[0-9] rw, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index ec8706f8..d17f809c 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -18,9 +18,14 @@ profile list-oem-metapackages @{exec_path} { /{usr/,}bin/dpkg rPx, /{usr/,}bin/ischroot rix, + /etc/machine-id r, + + @{sys}/devices/ r, @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/filesystems r, include if exists diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index ece827ff..2b6c6da5 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -22,5 +22,7 @@ profile livepatch-notification @{exec_path} { owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw, + @{run}/user/@{uid}/gdm/Xauthority r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index d31d1730..47e1ccf4 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -43,6 +43,8 @@ profile update-motd-updates-available @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, + /tmp/ r, + owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4ce92cf6..450b1ca7 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -10,8 +10,10 @@ include profile update-notifier @{exec_path} { include include + include include include + include include include include diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index ed1e9635..73f0d81e 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/anacron profile anacron @{exec_path} { include + include @{exec_path} mr, @@ -18,7 +19,9 @@ profile anacron @{exec_path} { / r, /etc/anacrontab r, - /var/spool/anacron/cron.* rw, + /var/spool/anacron/cron.* rwk, + + /tmp/file* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index c3adcd6e..57144bb0 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -31,6 +31,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/machine-id r, + owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 9685ea69..f8115614 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -97,8 +97,9 @@ profile mkinitramfs @{exec_path} { /{usr/,}bin/ldd mr, - /{usr/,}bin/kmod mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/kmod mr, + /{usr/,}lib/initramfs-tools/bin/* mr, /{usr/,}lib/@{multiarch}/ld-*.so* rix, /{usr/,}lib{,x}32/ld-*.so rix, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index db6ff8dd..c5072be2 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -10,8 +10,14 @@ include profile qemu-ga @{exec_path} { include + capability mknod, + capability net_admin, + capability sys_ptrace, + @{exec_path} mr, + /{usr/,}bin/systemctl rix, + /etc/qemu/qemu-ga.conf r, owner @{run}/qga.state* rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 6f9939d0..690023d7 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -12,16 +12,15 @@ profile spice-vdagent @{exec_path} { include include include + include @{exec_path} mr, - /etc/machine-id r, /etc/pipewire/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{run}/spice-vdagentd/spice-vdagent-sock rw, @{sys}/devices/pci[0-9]*/**/{device,vendor} r, diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 89c238b5..b30fb5eb 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -11,6 +11,7 @@ include profile umount @{exec_path} flags=(complain) { include include + include include capability chown, @@ -44,8 +45,6 @@ profile umount @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mountinfo r, - @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, - owner @{run}/mount/ rw, owner @{run}/mount/utab.lock wk, @{run}/mount/utab{,.*} rw,