diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 8c4efc35..c47c7ca6 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -38,6 +38,7 @@ @{bin}/gnome-calculator rPUx, @{bin}/gnome-disk-image-mounter rPx, @{bin}/gnome-disks rPx, + @{bin}/gnome-software rPx, @{bin}/gwenview rPUx, @{bin}/kgx rPx, @{bin}/qbittorrent rPx, diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index e80a7e0f..a392507b 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,6 +26,8 @@ include include include + include + include include include include diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index aa1f1729..d85d04e2 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -155,13 +155,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, / r, - /boot/ r, + /*/ r, /boot/efi/ r, - /efi/ r, - /snap/ r, /snap/*/@{int}/ r, - /tmp/ r, - /usr/ r, /var/cache/*/ r, /var/lib/*/ r, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter index 560f2bdb..d9d2e6a5 100644 --- a/apparmor.d/groups/gnome/evolution-user-prompter +++ b/apparmor.d/groups/gnome/evolution-user-prompter @@ -10,6 +10,8 @@ include profile evolution-user-prompter @{exec_path} { include include + include + include #aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0 diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index e51ed5b8..cf1ace48 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -35,9 +35,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Shell.Notifications #aa:dbus own bus=session name=org.gnome.Shell.Screencast - dbus send bus=session path=/org/gnome/Mutter/ScreenCast - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3083c73f..58b52870 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -62,8 +62,6 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/shm/ r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index e08ae61d..795153fb 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,7 +14,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -33,17 +32,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} peer=(name=org.freedesktop.DBus label=dbus-session), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CanPowerOff,PowerOff,Reboot} - peer=(name=:*, label=systemd-logind), - dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 290aa445..dbd07fe7 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -75,8 +75,11 @@ profile gnome-software @{exec_path} { owner @{HOME}/.var/app/{,**} rw, + owner @{user_download_dirs}/*.flatpakref r, + owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_cache_dirs}/gnome-software/ rw, + owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -124,6 +127,8 @@ profile gnome-software @{exec_path} { /dev/fuse rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + profile gpg { include @@ -131,14 +136,26 @@ profile gnome-software @{exec_path} { @{bin}/gpgconf mr, @{bin}/gpgsm mr, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, owner @{tmp}/ostree-gpg-@{rand6}/ r, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{run}/user/@{uid}/gnupg/ w, - + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0f4b3cd3..9a197e5b 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -37,10 +36,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=gnome-shell), + #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher index 02433106..9f2871ee 100644 --- a/apparmor.d/groups/whonix/msgdispatcher +++ b/apparmor.d/groups/whonix/msgdispatcher @@ -39,7 +39,6 @@ profile msgdispatcher @{exec_path} { include include - @{bin}/sudo mr, @{lib}/msgcollector/* rPx, owner @{run}/msgcollector/user/msgdispatcher_x_* r, diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index 3a803756..71823cb4 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -32,7 +32,7 @@ profile aa-enforce @{exec_path} { owner @{tmp}/@{rand8} rw, owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, - owner @{PROC}/@{pid}/fd r, + @{PROC}/@{pid}/fd r, include if exists } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 4d4d2665..b349940c 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -30,9 +30,7 @@ profile minitube @{exec_path} { @{exec_path} mr, - # Be able to turn off the screensaver while playing movies - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - + @{bin}/xdg-screensaver rPx, @{open_path} rPx -> child-open, /usr/share/minitube/{,**} r, @@ -69,31 +67,6 @@ profile minitube @{exec_path} { /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - profile xdg-screensaver { - include - include - - @{bin}/xdg-screensaver mr, - - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xset rix, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, - - owner @{HOME}/.Xauthority r, - - # file_inherit - /dev/dri/card@{int} rw, - network inet stream, - network inet6 stream, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 73474ce7..484f42dd 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -31,9 +31,8 @@ profile signal-desktop @{exec_path} { @{exec_path} mrix, - # @{bin}/basename rix, @{bin}/getconf rix, - @{open_path} rPx -> child-open-strict, + @{open_path} rPx -> child-open-strict, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings,