diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index f64de582..79c4f042 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -38,7 +38,7 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner @{run}/user/@{uid}/pk-debconf-socket rw, + @{run}/user/@{uid}/pk-debconf-socket rw, # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index dd4bc64f..8b4fafa4 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -41,6 +41,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member={GetAll,PropertiesChanged}, + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged, + dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9] interface=org.freedesktop.Avahi.ServiceBrowser member={AllForNow,CacheExhausted}, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 1bc95f96..352c5534 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -18,6 +18,7 @@ profile plymouthd @{exec_path} { signal (send) peer=unconfined, + unix type=stream addr="@/org/freedesktop/plymouthd", unix type=stream peer=(addr="@/org/freedesktop/plymouthd"), @{exec_path} mr, @@ -27,6 +28,7 @@ profile plymouthd @{exec_path} { /etc/default/keyboard r, @{run}/udev/data/+drm:* r, + @{run}/udev/data/c226:* r, @{sys}/bus/ r, @{sys}/class/ r, @@ -38,6 +40,8 @@ profile plymouthd @{exec_path} { @{PROC}/cmdline r, /dev/dri/card[0-9]* rw, + /dev/ptmx rw, + /dev/tty[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4e25042e..22c62c33 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -34,7 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown}, + member={SessionNew,SessionRemoved,PrepareForShutdown}, dbus bind bus=system name=org.freedesktop.UPower, diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index f5d261f9..cf42bd74 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService +@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService profile gnome-characters-backgroudservice @{exec_path} { include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index ff76bcc6..1efb4649 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -61,7 +61,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=ListCachedUsers, + member={ListCachedUsers,FindUserById}, dbus send bus=system path=/net/hadess/SwitcherooControl interface=org.freedesktop.DBus.Properties @@ -107,7 +107,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-background-properties/{,**} r, - /usr/share/gnome-bluetooth/{,**} r, + /usr/share/gnome-bluetooth{-*,}/{,**} r, /usr/share/gnome-color-manager/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1c02e938..4f68eb92 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -15,6 +15,7 @@ profile gnome-control-center-goa-helper @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 46e8c9c6..19c42c25 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -31,6 +31,7 @@ profile gnome-music @{exec_path} { /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* rix, + /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index bbf8f817..9054d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -23,6 +23,9 @@ profile gnome-terminal-server @{exec_path} { /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx, + # Some CLI program can be launched directly from Gnome Shell + /{usr/,}bin/htop rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 9f9f7459..69d17130 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -43,11 +43,14 @@ profile pacman-key @{exec_path} { profile gpg { include + include + include capability dac_read_search, capability mknod, /{usr/,}bin/gpg mr, + /{usr/,}bin/dirmngr rix, /{usr/,}bin/gpg-agent rix, /usr/share/pacman/keyrings/{,*} r, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 4e21b840..f754f9fa 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -39,15 +39,20 @@ profile bootctl @{exec_path} { @{run}/host/container-manager r, + @{sys}//class/tpmrm/ r, + @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index a8290f4a..e26c4058 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -10,6 +10,8 @@ include profile systemd-machine-id-setup @{exec_path} { include + capability dac_override, + @{exec_path} mr, /etc/machine-id rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 9b9e028b..c410568f 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -11,6 +11,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 31ecf983..54adc87e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -49,8 +49,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}{s,}bin/* rPUx, - /{usr,/}lib/pm-utils/power.d/* rPUx, - /{usr,/}lib/snapd/snap-device-helper rPx, + /{usr/,}lib/pm-utils/power.d/* rPUx, + /{usr/,}lib/snapd/snap-device-helper rPx, /{usr/,}lib/crda/* rPUx, /{usr/,}lib/gdm-runtime-config rPx, /{usr/,}lib/systemd/systemd-* rPx, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 5d581cdd..c9456448 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -18,7 +18,7 @@ profile apt-esm-hook @{exec_path} { /etc/machine-id r, - /var/cache/apt/pkgcache.bin.* rw, + /var/cache/apt/pkgcache.bin* rw, /var/lib/ubuntu-advantage/messages/{,**} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 9ba79f93..97ab7349 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -13,5 +13,7 @@ profile apt-esm-json-hook @{exec_path} { @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index a1dab06b..c2b43c28 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -30,7 +30,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} - member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll}, + member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache}, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -54,13 +54,14 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/hwe-support-status rPx, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/snap rPUx, - /{usr/,}bin/uname rix, - /{usr/,}lib/apt/methods/http{,s} rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/hwe-support-status rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPUx, + /{usr/,}bin/software-properties-gtk rPx, + /{usr/,}bin/uname rix, + /{usr/,}lib/apt/methods/http{,s} rPx, /usr/share/distro-info/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -70,6 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /usr/share/update-manager/{,**} r, /usr/share/X11/{,**} r, + /etc/gnome/defaults.list r, /etc/machine-id r, /etc/update-manager/{,**} r, @@ -82,6 +84,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /var/lib/update-manager/{,**} rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 7c8f4d7c..e279b484 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -21,7 +21,9 @@ profile containerd @{exec_path} { /{usr/,}bin/containerd-shim-runc-v2 rPUx, /{usr/,}bin/kmod rPx, + /etc/cni/ rw, /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /var/lib/containerd/{,**} rwk, @@ -30,6 +32,8 @@ profile containerd @{exec_path} { @{run}/docker/containerd/{,**} rwk, /opt/containerd/{,**} rw, + @{run}/systemd/notify w, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, owner @{PROC}/@{pids}/uid_map r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 60c06ef3..5ff00d20 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/aa-notify profile aa-notify @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 8d609ba3..bc053307 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -11,6 +11,7 @@ include profile appstreamcli @{exec_path} flags=(complain) { include include + include capability dac_read_search, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index bda09990..8bf1bb58 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -10,12 +10,12 @@ include profile font-manager @{exec_path} { include include - include - include include + include include - include include + include + include include network inet dgram, @@ -29,6 +29,8 @@ profile font-manager @{exec_path} { /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/font-manager/ rw, owner @{user_cache_dirs}/font-manager/* rwk, @@ -47,18 +49,16 @@ profile font-manager @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/{,**} r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/smaps r, - @{PROC}zoneinfo r, - - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/{,**} r, + @{PROC}/zoneinfo r, # Silencer owner /var/cache/fontconfig/ w, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 215f7ef6..c2c9a6ff 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -18,12 +18,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { network netlink raw, dbus receive bus=system path=/net/reactivated/Fprint/Manager - interface=net.reactivated.Fprint.Manager - member={GetDefaultDevice,GetDevices}, - - dbus receive bus=system path=/net/reactivated/Fprint/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll, + interface={org.freedesktop.DBus.Properties,net.reactivated.Fprint.Manager}, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -33,7 +28,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login[0-9]), dbus bind bus=system name=net.reactivated.Fprint, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 46a762f5..9e018e0a 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -23,13 +23,14 @@ profile frontend @{exec_path} flags=(complain) { /{usr/,}bin/locale rix, # debconf apps + /{usr/,}{s,}bin/aspell-autobuildhash rPx, + /{usr/,}{s,}bin/pam-auth-update rPx, /{usr/,}bin/adequate rPx, /{usr/,}bin/debconf-apt-progress rPx, - /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, /{usr/,}bin/linux-check-removal rPx, /{usr/,}bin/ucf rPx, - /{usr/,}sbin/pam-auth-update rPx, - /{usr/,}sbin/aspell-autobuildhash rPx, + /{usr/,}bin/whiptail rPx, + /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, /usr/share/debian-security-support/check-support-status.hook rPx, # Run the package maintainer's scripts @@ -55,13 +56,16 @@ profile frontend @{exec_path} flags=(complain) { /{usr/,}lib/dkms/dkms-* rPUx, /{usr/,}lib/dkms/dkms_* rPUx, - /etc/debconf.conf r, /usr/share/debconf/{,**} r, + + /etc/debconf.conf r, + /etc/inputrc r, + /etc/shadow r, + + owner /tmp/file* w, owner /var/cache/debconf/* rwk, - /etc/inputrc r, - - /etc/shadow r, + @{run}/user/@{uid}/pk-debconf-socket rw, # The following is needed when debconf uses GUI frontends. include @@ -74,11 +78,6 @@ profile frontend @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, - owner /tmp/file* w, - - profile scripts flags=(complain) { include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 471ab9f3..8f217fbe 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -86,11 +86,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/[0-9]* rw, /dev/drm_dp_aux[0-9]* rw, + /dev/gpiochip[0-9]* r, /dev/hidraw[0-9]* rw, /dev/mei[0-9]* rw, /dev/mem r, + /dev/mtd[0-9]* rw, /dev/sd[a-z]* r, /dev/tpm[0-9]* rw, + /dev/tpmrm[0-9]* rw, /dev/wmi/* r, profile gpg flags=(complain) { diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 6de8a18f..7df34f07 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -32,7 +32,7 @@ profile ifup @{exec_path} { /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}sbin/sysctl rCx -> sysctl, + /{usr/,}{s,}bin/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -114,7 +114,7 @@ profile ifup @{exec_path} { capability sys_admin, # capability sys_resource, - /{usr/,}sbin/sysctl mr, + /{usr/,}{s,}bin/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index f270780b..e3308c76 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -19,6 +19,7 @@ profile lspci @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/[0-9]*/address r, @{sys}/devices/pci[0-9]*/** r, /usr/share/hwdata/pci.ids r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 1cbe45a1..c9d803ba 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -50,6 +50,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw, + @{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 2ee51148..528944ec 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -27,6 +27,7 @@ profile sensors @{exec_path} { @{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r, @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/name r, + @{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r, @{sys}/devices/virtual/hwmon/hwmon[0-9]* r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r,