diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index cddabf04..7e0c09b6 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -11,6 +11,7 @@ include profile apt @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index d93d7ea5..b6815bd2 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 253deed0..baa8420c 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}bin/ibus-daemon profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include + include + include include signal (receive) set=(usr1) peer=gnome-shell, @@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/{,**} rw, owner @{user_cache_dirs}/ibus/{,**} rw, /var/lib/gdm{3,}/.config/ibus/{,**} rw, /var/lib/gdm{3,}/.cache/ibus/{,**} rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 39025957..eacefcd1 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=term peer=ibus-daemon, @@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 23f43557..ae392bd4 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -10,10 +10,12 @@ include @{exec_path} += @{libexec}/ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} { include + include include include include include + include include signal (receive) set=term peer=ibus-daemon, @@ -35,11 +37,10 @@ profile ibus-extension-gtk3 @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index e13dc99c..29c689e9 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -9,14 +9,15 @@ include @{exec_path} = @{libexec}/ibus-memconf profile ibus-memconf @{exec_path} { include + include include @{exec_path} mr, + /etc/machine-id r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index ba452812..2438a72a 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -10,6 +10,8 @@ include @{exec_path} += @{libexec}/ibus-portal profile ibus-portal @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, - owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, /dev/null rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index b36b22cf..159806e3 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -18,16 +18,21 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include + unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + @{exec_path} mr, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 46dc955d..63fbbd70 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index ed183ba5..1ce827e2 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/colord-sane profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 4782267f..b44496f7 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -9,9 +9,7 @@ include @{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include - - # Needed? - deny capability sys_nice, + include signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 2eea607f..76220f9f 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -11,6 +11,7 @@ include profile pipewire @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index e4d804aa..e04c0259 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkit-agent-helper-[0-9] profile polkit-agent-helper @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e366fd26..9fd68336 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6b177afb..22f60b38 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include + include include include include @@ -31,6 +32,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{user_share_dirs}/ r, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 99622476..2e94f0ff 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include @@ -31,7 +32,9 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, owner @{PROC}/@{uid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index d8dce5fd..fd496df8 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index a036ee7e..bc313353 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index e1e49b08..0a7c3adf 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include include include @@ -23,6 +24,7 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/ubuntu/applications/ r, /usr/share/zoneinfo-icu/{,**} r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 40661e7c..132540ad 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index e488818b..61ab2e0b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-source-registry profile evolution-source-registry @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 57c084d5..b07fe0e9 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 7af35a3d..1d385bb4 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 564dba30..030e1214 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include + include include include include @@ -36,7 +37,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 65513850..3f499354 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 44844ad3..4101886e 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-remote-desktop-daemon profile gnome-remote-desktop-daemon @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 78fee1df..91743684 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 005072d5..b50bfcb6 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-shell-calendar-server profile gnome-shell-calendar-server @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 684080be..9a30738f 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/goa-daemon profile goa-daemon @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 6a728d63..c7b98a84 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -10,6 +10,7 @@ include profile goa-identity-service @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 8be54615..a1388d9f 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index c83666a2..3e3de47c 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -35,9 +36,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index e7d51d5b..41df5db4 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index ccec1b6a..f1c5d57b 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-disk-utility-notify profile gsd-disk-utility-notify @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index d9ede44b..e5ce47c2 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,6 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 216a23cb..6a2037a2 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,9 +32,11 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 310336b2..96288a87 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,6 +10,7 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -30,9 +31,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/pulse/ rw, owner @{user_share_dirs}/ r, @@ -43,9 +41,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rk, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index c674d1e5..41f28908 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -28,15 +29,15 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, /var/lib/gdm/.cache/event-sound-cache.tdb.* rwk, /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, @{run}/udev/data/+backlight:* r, @{run}/udev/data/+leds:*backlight* r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index de6c3a28..aa62b6f5 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index eccc4180..15590b73 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index a44ecbbe..3bb20459 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index b6058e22..b0d8a552 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7cada0c7..5b20cc4f 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index fca97800..31e0cf77 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 83a7520c..e64fbb8b 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -10,6 +10,7 @@ include profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 8585d792..c723369b 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -28,9 +29,11 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2ac7d10b..d3f6ec90 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include @@ -49,13 +50,14 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, - - owner @{run}/systemd/users/@{uid}/ r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad4d7a0..6c48c596 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,6 +10,7 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index dd45b726..7846a464 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 5373623e..1baa4eda 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-afc-volume-monitor profile gvfs-afc-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1eaa0116..d55fa7de 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-goa-volume-monitor profile gvfs-goa-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 88864385..b5844365 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor profile gvfs-gphoto2-volume-monitor @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 94978f25..1163dd54 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-mtp-volume-monitor profile gvfs-mtp-volume-monitor @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 0f32b016..59db2bb3 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 62248a59..d4a8184e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 3a0e7d74..fb46ee85 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-metadata profile gvfsd-metadata @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 196a07e8..906aff69 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 0572caee..ed8fe89c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -15,6 +15,7 @@ profile networkd-dispatcher @{exec_path} { @{exec_path} mr, + /{usr/,}bin/ r, /{usr/,}bin/networkctl rPx, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 8b492322..a1937b01 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -19,6 +19,7 @@ include profile sshd @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -98,24 +99,5 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - - # DBus - @{run}/dbus/system_bus_socket rw, - - dbus send - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus), - - dbus send - bus=system - path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession} - peer=(name=org.freedesktop.login1), - include if exists } diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 127a364c..6c75dc05 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/fwupdmgr profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index e0a141ea..50344f35 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,6 +10,7 @@ include profile spice-vdagent @{exec_path} { include include + include include unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), @@ -21,6 +22,7 @@ profile spice-vdagent @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 24654d78..b7ea89fc 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -11,6 +11,7 @@ profile su @{exec_path} { include include include + include include include # include @@ -54,28 +55,7 @@ profile su @{exec_path} { @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, - # pseudo-terminal - capability chown, - /dev/{,pts/}ptmx rw, - - @{run}/dbus/system_bus_socket rw, - - dbus (send) - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus), - - dbus (send) - bus=system - path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={CreateSession,ReleaseSession}, - - unix (bind) type=dgram, - /dev/tty[0-9]* rw, include if exists