diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index b994cc28..608595e6 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /usr/share/*/*.desktop r, - /var/lib/flatpak/{app/**,}exports/share/applications/{,**/} r, - /var/lib/flatpak/{app/**,}exports/share/applications/**.desktop r, - /var/lib/flatpak/{app/**,}exports/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/{app/**,}exports/share/applications/mimeinfo.cache w, + /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r, + /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r, + /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw, + /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w, /var/lib/snapd/desktop/applications/{,**/} r, /var/lib/snapd/desktop/applications/**.desktop r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index fd496df8..a7113a76 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -18,6 +18,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw, + owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, owner @{user_share_dirs}/flatpak/db/background rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index e3655eb2..5247d407 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -74,6 +74,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm/custom.conf r, + @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7274e317..f242da61 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,8 +23,9 @@ profile gnome-calendar @{exec_path} { @{exec_path} mr, - /usr/share/libgweather/Locations.xml r, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/libgweather/Locations.xml r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 09233126..368061b1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -103,6 +103,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /snap/*/[0-9]*/*.png r, /usr/share/backgrounds/{,**} r, + /usr/share/cups/data/testprint r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, @@ -123,8 +124,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/icons/ r, + /var/cache/samba/ rw, + owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 9f7d73f9..36bf1d12 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -15,6 +15,7 @@ profile tailscaled @{exec_path} { capability dac_read_search, capability mknod, capability net_admin, + capability net_raw, capability sys_ptrace, network inet dgram, @@ -30,10 +31,14 @@ profile tailscaled @{exec_path} { /{usr/,}bin/ip rix, /{usr/,}{s,}bin/xtables-nft-multi rix, - /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemctl rCx -> systemctl, /etc/iproute2/rt_tables r, + /etc/resolv.*.conf rw, + /etc/resolv.conf rw, + /etc/resolv.conf.*.tmp rw, + owner /var/lib/tailscale/{,**} rw, owner @{run}/tailscale/{,**} rw, @@ -54,5 +59,21 @@ profile tailscaled @{exec_path} { /dev/net/tun rw, + profile systemctl { + include + + capability mknod, + capability net_admin, + + network netlink raw, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /dev/net/tun rw, + + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 688ca76a..d6770ee0 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -225,7 +225,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, - /dev/dri/ r, # include ? + /dev/dri/ r, /dev/hugepages/{,**} w, /dev/kvm r, /dev/mapper/ r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 3c8f6a0e..11a35cab 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -49,9 +49,13 @@ profile flatpak-system-helper @{exec_path} { /{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgsm mr, + /{usr/,}bin/gpg-agent rix, + owner /tmp/ostree-gpg-*/ r, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{PROC}/@{uid}/fd/ r, + } include if exists diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 9640ce9a..3b35e019 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,6 +10,7 @@ include profile nvtop @{exec_path} { include include + include include include @@ -25,6 +26,7 @@ profile nvtop @{exec_path} { @{PROC}/@{pids}/stat r, @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + /dev/dri/ r, /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw, include if exists