diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index db61ef22..7d88d5a0 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -44,10 +44,11 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{etc_ro}/security/limits.d/{,**} r, /var/spool/cron/crontabs/{,*} r, + /var/spool/cron/tabs/{,*} r, - @{run}/systemd/sessions/*.ref rw, - owner @{run}/crond.pid rwk, - owner @{run}/crond.reboot rw, + @{run}/crond.pid rwk, + @{run}/crond.reboot rw, + @{run}/systemd/sessions/*.ref rw, owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 2cc6ce1d..892afd94 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -11,6 +11,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include + include network qipcrtr dgram, network netlink raw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index b18c0a36..97f96add 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -36,6 +36,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, + "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, /etc/mullvad-vpn/{,*} r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 4e1b4ff7..cb47b4aa 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -50,13 +50,8 @@ profile openvpn @{exec_path} { @{exec_path} mr, - # OpenVPN config - /etc/openvpn/*.{conf,ovpn} r, - /etc/openvpn/client/*.{conf,ovpn} r, - /etc/openvpn/client/*_userpass.txt r, - /etc/openvpn/server/*.{conf,ovpn} r, - /etc/openvpn/auth/*.auth r, - /etc/openvpn/certs/*.{key,crt} r, + /etc/openvpn/{,**} r, + @{HOME}/.cert/{,**} r, /var/log/openvpn/*.log w, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 920a2eaa..14f6bbbe 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -12,6 +12,8 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { include include + capability sys_resource, + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 4b3d745c..dcd778ff 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -34,6 +34,7 @@ profile firewalld @{exec_path} { /{usr/,}bin/false rix, /usr/share/libalternatives/ r, + /usr/share/libalternatives/ebtables*/{,*} r, /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, /etc/firewalld/{,**} r, @@ -41,12 +42,15 @@ profile firewalld @{exec_path} { /etc/iproute2/group r, /etc/iproute2/rt_realms r, + /var/lib/ebtables/lock rwk, + /var/log/firewalld rw, @{run}/firewalld/{,*} rw, @{run}/xtables.lock rwk, @{PROC}/sys/kernel/modprobe r, + @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 652101f8..af6c4821 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -17,6 +17,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { capability dac_override, capability mknod, + capability net_admin, capability sys_module, capability syslog, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 4022f948..72e4b424 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -160,8 +160,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner /etc/pacman.d/gnupg/ r, # only: arch owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**, - owner /var/tmp/zypp.*/zypp-*/ r, # only: opensuse - owner /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**, + /var/tmp/zypp.*/zypp-*/ r, # only: opensuse + /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**, owner @{run}/user/@{uid}/gnupg/ r, owner @{run}/user/@{uid}/gnupg/ rwkl -> @{run}/user/@{uid}/gnupg/**,