diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c3584901..d00fb331 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -19,7 +19,15 @@ include include include + include + include + include + include + include + include include + include + include include include include @@ -41,6 +49,16 @@ capability sys_chroot, capability sys_ptrace, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + signal (receive) peer=@{profile_name}-crashpad-handler, + signal (send) set=(term, kill) peer=@{profile_name}-sandbox, + signal (send) set=(term, kill) peer=keepassxc-proxy, + ptrace (read) peer=browserpass, ptrace (read) peer=chrome-gnome-shell, ptrace (read) peer=gnome-browser-connector-host, @@ -50,21 +68,6 @@ ptrace (read) peer=xdg-settings, ptrace (trace) peer=@{profile_name}, - signal (receive) peer=@{profile_name}-crashpad-handler, - signal (send) set=(term, kill) peer=@{profile_name}-sandbox, - signal (send) set=(term, kill) peer=keepassxc-proxy, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=org.bluez, label=bluetoothd), - @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, @{lib_dirs}/chrome_crashpad_handler rPx, @@ -103,7 +106,6 @@ /usr/share/@{name}/{,**} r, /usr/share/chromium/extensions/{,**} r, - /usr/share/hwdata/pnp.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, @@ -132,11 +134,6 @@ owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, owner @{config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, - owner @{user_config_dirs}/kdedefaults/ r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, owner @{cache_dirs}/{,**} rw, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index 4877c6ad..c6d8fc6a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -7,9 +7,19 @@ member=GetAll peer=(name=:*, label=gjs-console), - dbus receive bus=session path=/org/freedesktop/Notifications + dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties - member=GetAll + member={GetCapabilities,GetServerInformation,Notify} peer=(name=:*, label=gjs-console), + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member={GetAll,NotificationClosed,CloseNotification} + peer=(name=:*, label=gjs-console), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=Notify + peer=(name=org.freedesktop.DBus, label=gjs-console), + include if exists diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index b88df258..41b6c19b 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -20,6 +20,8 @@ profile brave @{exec_path} { unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 + @{exec_path} mrix, @{bin}/man rPUx, # For "brave --help" diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 7dd5f300..22a4ebf0 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -18,6 +18,8 @@ profile chrome @{exec_path} { include include + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.chrome path=/org/mpris/MediaPlayer2 + @{exec_path} mrix, @{bin}/man rPUx, # For "chrome --help" diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 45a464e3..6ec3e3f9 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -18,6 +18,8 @@ profile chromium @{exec_path} { include include + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.chromium path=/org/mpris/MediaPlayer2 + @{exec_path} mrix, include if exists diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index d129fc19..36c818c4 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -18,6 +18,8 @@ profile msedge @{exec_path} { include include + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.msedge path=/org/mpris/MediaPlayer2 + @{exec_path} mrix, @{bin}/man rPUx, # For "chrome --help" diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index aa5688f1..b1659a33 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -18,6 +18,8 @@ profile opera @{exec_path} { include include + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.opera path=/org/mpris/MediaPlayer2 + @{exec_path} mrix, @{lib_dirs}/opera_autoupdate krix,