diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 4c13e555..12eea120 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -4,12 +4,22 @@ dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} + member={GetAll,PropertiesChanged},Set + peer=(name=:*, label=wpa-supplicant), + + dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=org.freedesktop.DBus.Properties + member={GetAll,Set} + peer=(name=:*, label=wpa-supplicant), + + dbus send bus=system path=/fi/w1/wpa_supplicant1 + interface=fi.w1.wpa_supplicant1.Interface + member=CreateInterface peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface - member={Disconnect,RemoveNetwork,Scan} + member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork} peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} @@ -17,25 +27,24 @@ member=Cancel peer=(name=:*, label=wpa-supplicant), - # Unconfined for now, don't know the label yet. - # dbus send bus=system path=/org/freedesktop - # interface=org.freedesktop.DBus.ObjectManager - # member=InterfacesRemoved - # peer=(name=:*, label=unconfined), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface - member={BSSAdded,BSSRemoved,NetworkRemoved,ScanDone,PropertiesChanged} + member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={GetAll,PropertiesChanged} peer=(name=:*, label=wpa-supplicant), include if exists diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 780a4728..2417fb4e 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -5,21 +5,21 @@ dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus receive bus=system path=/org/bluez/hci@{int}{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} - member=UnregisterAgent + member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} peer=(name=org.bluez, label=bluetoothd), dbus send bus=system path=/org/bluez @@ -27,6 +27,11 @@ member=RegisterProfile peer=(name=org.bluez, label=bluetoothd), + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name="{:*,org.bluez}", label=bluetoothd), + dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 0edc53cc..75ee94bf 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,6 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index e9add589..d37f276b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -5,66 +5,71 @@ dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={GetDevices,GetPermissions} - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member=ListConnections - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name=:*, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=Updated + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 8465f64c..956356c5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -5,51 +5,51 @@ dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/** interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Properties member=Get - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int} interface=org.freedesktop.UDisks2.Job member=Completed - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 372fce27..3d0963ae 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -10,7 +10,7 @@ dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), dbus send bus=system path=/org/freedesktop/UPower{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -21,14 +21,24 @@ member=GetDisplayDevice peer=(name=org.freedesktop.UPower, label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=DeviceAdded + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), dbus receive bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=upowerd), + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index d11829d8..67d24772 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -10,7 +10,7 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager @@ -20,12 +20,12 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=systemd-logind), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap index cf3ea112..b470033f 100644 --- a/apparmor.d/groups/_full/bwrap +++ b/apparmor.d/groups/_full/bwrap @@ -14,6 +14,7 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability dac_override, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 257ac4f0..b8ee7c4a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -62,9 +62,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/nautilus rPx, @{bin}/snap rPUx, - @{bin}/kreadconfig5 rPx, - @{lib}/xdg-desktop-portal-validate-icon rPUx, - @{open_path} rPx -> child-open, + @{bin}/kreadconfig5 rPx, + @{lib}/xdg-desktop-portal-validate-icon rPUx, + @{open_path} rPx -> child-open, / r, /.flatpak-info r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 9d1a2884..f5291bb1 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -21,6 +21,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/file rix, @{bin}/head rix, + @{bin}/kbuildsycoca5 rPx, @{bin}/mv rix, @{bin}/readlink rix, @{bin}/realpath rix, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 2bef6ae7..5ba9ef54 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -9,8 +9,17 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}kded-smart-helper profile kauth-kded-smart-helper @{exec_path} { include + include + include include + # dbus: own bus=system name=org.kde.kded.smart + + dbus send bus=system path=/ + interface=org.kde.kf5auth + member=remoteSignal + peer=(name=org.freedesktop.DBus, label=kded5), + @{exec_path} mr, @{bin}/smartctl rPx, @@ -18,4 +27,4 @@ profile kauth-kded-smart-helper @{exec_path} { /usr/share/icu/@{int}.@{int}/*.dat r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca5 new file mode 100644 index 00000000..8173be58 --- /dev/null +++ b/apparmor.d/groups/kde/kbuildsycoca5 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kbuildsycoca5 +profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + /usr/share/applications/kde-mimeapps.list r, + /usr/share/mime/mime.cache r, + /usr/share/mime/types r, + /var/lib/flatpak/exports/share/mime/types r, + + owner @{user_cache_dirs}/ksycoca5_* l -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksycoca5_* rw, + owner @{user_config_dirs}/mimeapps.list r, + owner @{user_share_dirs}/applications/mimeapps.list r, + owner @{user_share_dirs}/mime/types r, + + /dev/tty r, + + include if exists +} diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c3701fa7..d9cfaf0f 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -34,14 +34,11 @@ profile kded @{exec_path} { signal (send) set=hup peer=xsettingsd, - dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent - interface=org.freedesktop.NetworkManager.SecretAgent - member=CancelGetSecrets - peer=(label=NetworkManager), + # dbus: own bus=system name=com.redhat.NewPrinterNotification dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent interface=org.freedesktop.NetworkManager.SecretAgent - member=CancelGetSecrets + member={GetSecrets,CancelGetSecrets} peer=(label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int} @@ -58,6 +55,30 @@ profile kded @{exec_path} { interface=org.freedesktop.NetworkManager.AgentManager peer=(label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager + interface=org.freedesktop.NetworkManager.AgentManager + peer=(label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.bolt1.Manager + member=ListDevices + peer=(name="{:*,org.freedesktop.bolt}", label=boltd), + + dbus send bus=system path=/org/freedesktop/bolt{,/**} + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name="{:*,org.freedesktop.bolt}", label=boltd), + + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=remoteSignal + peer=(name=:*, label=kauth-kded-smart-helper), + + dbus send bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + @{exec_path} mrix, @{bin}/kcminit rPx, @@ -141,7 +162,7 @@ profile kded @{exec_path} { owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, - @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index e38c2a1f..e5f89829 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -18,6 +18,8 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(usr1,term) peer=kscreenlocker-greet, + ptrace (read) peer=kbuildsycoca5, + unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), @{exec_path} mr, @@ -36,10 +38,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/{,**} r, - /etc/xdg/menus/applications-merged/ r, + /etc/xdg/menus/applications-merged/{,*} r, /etc/machine-id r, /etc/xdg/kscreenlockerrc r, - /etc/xdg/menus/ r, + /etc/xdg/menus/{,*} r, owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index b0f2f634..403c7eb5 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -44,9 +44,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{exec_path} mr, - @{lib}/libheif/{,**} mr, - - @{bin}/dolphin rPUx, + @{lib}/libheif/ r, + @{lib}/libheif/{,**} mr, + @{lib}/kf5/kdesu{,d} rix, + @{bin}/dolphin rPUx, # TODO: rPx, @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 000799fa..55896c8c 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -10,6 +10,7 @@ include @{exec_path} = /etc/sddm/Xsession profile sddm-xsession @{exec_path} { include + include include include include @@ -25,14 +26,17 @@ profile sddm-xsession @{exec_path} { @{bin}/csh rix, @{bin}/date rix, @{bin}/fish rix, - @{bin}/id rix, + @{bin}/gettext.sh r, @{bin}/gpgconf rCx -> gpg, + @{bin}/id rix, + @{bin}/locale rix, + @{bin}/locale-check rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{bin}/mv rix, - @{bin}/locale-check rPx, - @{bin}/mktemp rix, - @{bin}/rm rix, @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @@ -57,12 +61,18 @@ profile sddm-xsession @{exec_path} { /etc/default/{,*} r, /etc/X11/{,**} r, - owner @{HOME}/.xsession-errors w, + owner @{HOME}/.xinputrc r, + owner @{HOME}/.xsession-errors rw, + @{HOME}/tmp.* rw, + + @{system_share_dirs}/im-config/data/{,*} r, + @{system_share_dirs}/im-config/xinputrc.common r, owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, + owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 4171015f..7c11a414 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,6 +11,7 @@ profile startplasma @{exec_path} { include include include + include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, @@ -20,12 +21,17 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, + @{bin}/{,ba,da}sh rix, + @{bin}/env rix, + @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, + @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/knotifications{5,6}/{,**} r, @@ -33,10 +39,16 @@ profile startplasma @{exec_path} { /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, + /etc/locale.alias r, /etc/machine-id r, /etc/xdg/kcminputrc r, /etc/xdg/menus/{,**} r, - /etc/xdg/plasma-workspace/env/{,**} r, + /etc/xdg/plasma-workspace/env/{,*} r, + + /var/lib/flatpak/exports/share/mime/ r, + + @{HOME}/ r, + @{HOME}/.xsession-errors w, @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, @@ -71,7 +83,9 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/maps r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index ad436e52..478dabbd 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include + include include include include @@ -20,6 +21,8 @@ profile systemsettings @{exec_path} { @{bin}/kcminit rPx, + /usr/share/kglobalaccel/org.kde.krunner.desktop r, + /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kcm_networkmanagement/{,**} r, /usr/share/kinfocenter/{,**} r, /usr/share/kpackage/{,**} r, @@ -29,10 +32,14 @@ profile systemsettings @{exec_path} { /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, + /usr/share/kinfocenter/{,**} r, + /usr/share/sddm/themes/{,**} r, + + /var/lib/flatpak/exports/share/mime/ r, /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/ r, + /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -48,12 +55,16 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/khotkeysrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/kservices5/{,ServiceMenus/} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index d1d068ae..e83223f1 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -22,12 +22,18 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=NetworkManager), + @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chronyc rPUx, + @{bin}/chown rix, @{bin}/date rix, @{bin}/gawk rix, @{bin}/grep rix, @@ -52,15 +58,21 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /etc/NetworkManager/dispatcher.d/** rix, /etc/dhcp/dhclient-exit-hooks.d/ntp r, + # chown + / r, + /usr/share/tlp/{,**} rw, /etc/sysconfig/network/config r, /etc/fstab r, - @{run}/systemd/notify rw, - @{run}/tlp/{,*} rw, - @{run}/chrony-dhcp/ rw, - @{run}/ntp.conf.dhcp rw, + @{run}/chrony-dhcp/ rw, + @{run}/ntp.conf.dhcp rw, + @{run}/systemd/netif/leases/ r, + @{run}/systemd/notify rw, + @{run}/tlp/{,*} rw, + owner @{run}/ntp.conf.dhcp.@{rand6} rw, + owner /etc/ntp.conf r, @{sys}/class/net/ r, @@ -85,8 +97,11 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include + @{bin}/invoke-rc.d rm, @{sh_path} rix, + @{bin}/basename rix, @{bin}/ls rix, + # This doesn't seem to work, profile transition not found. @{bin}/systemctl rCx -> systemctl, / r, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 1561e82c..3acff92b 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -55,8 +55,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, - @{lib}/kf5/kioslave5 rPx, - @{lib}/kf6/kioworker rPx, + #aa:exec kioworker /var/lib/flatpak/app/{,**} r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 5c9ced99..83f1ac55 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -67,6 +67,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { /etc/ r, @{etc_ro}/logrotate.conf rk, @{etc_ro}/logrotate.d/ r, + @{etc_ro}/rc*.d/ r, @{etc_ro}/logrotate.d/* rk, / r, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index b627eb46..ea16957a 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -20,6 +20,10 @@ profile usbguard @{exec_path} { # Needed to create policy (usbguard generate-policy) network netlink dgram, + unix (send, receive, connect) type=stream peer=(label="usbguard-daemon",addr=@@{int}), + + # dbus: own bus=system name=org.usbguard1 + @{exec_path} mr, /etc/usbguard/*.conf rw,