From f73da4a04651895c03c61f76c6b6038a5e8b9f36 Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Sun, 25 Oct 2020 10:23:34 +0100 Subject: [PATCH] update apparmor profiles --- apparmor.d/abstractions/X | 11 ++--- .../abstractions/dbus-network-manager-strict | 45 +++++++++++++++++++ apparmor.d/abstractions/deny-dconf | 2 +- apparmor.d/abstractions/disks-read | 42 ++++++++--------- apparmor.d/abstractions/disks-write | 42 ++++++++--------- apparmor.d/abstractions/exo-open | 5 ++- apparmor.d/abstractions/fonts | 3 +- apparmor.d/abstractions/gio-open | 3 ++ apparmor.d/abstractions/gnome | 2 + apparmor.d/abstractions/gvfs-open | 3 ++ apparmor.d/abstractions/hosts_access | 13 ++++++ apparmor.d/abstractions/kde-open5 | 4 +- apparmor.d/abstractions/kde5-plasma5 | 10 ++--- apparmor.d/abstractions/mdns | 1 + apparmor.d/abstractions/nameservice | 4 +- apparmor.d/abstractions/postfix-common | 4 +- apparmor.d/abstractions/trash | 4 +- apparmor.d/abstractions/vulkan | 5 +++ apparmor.d/abstractions/wayland | 6 +-- apparmor.d/abstractions/xdg-open | 5 ++- apparmor.d/amarok | 4 +- apparmor.d/apt-cdrom | 6 +-- apparmor.d/aptitude | 2 +- apparmor.d/blkid | 4 +- apparmor.d/bluetoothd | 2 +- apparmor.d/brave | 2 +- apparmor.d/btrfs | 4 +- apparmor.d/btrfstune | 4 +- apparmor.d/calibre | 4 +- apparmor.d/cawbird | 4 +- apparmor.d/cfdisk | 4 +- apparmor.d/cgrulesengd | 2 +- apparmor.d/chromium-chromium | 2 +- apparmor.d/code | 4 +- apparmor.d/colord | 4 +- apparmor.d/colord-sane | 4 +- apparmor.d/cron | 4 +- apparmor.d/cron-apt-listbugs | 2 +- apparmor.d/cron-mlocate | 2 +- apparmor.d/dbus-daemon | 6 +-- apparmor.d/dconf-editor | 4 +- apparmor.d/dconf-service | 4 +- apparmor.d/ddclient | 2 +- apparmor.d/dhclient | 4 +- apparmor.d/dhclient-script | 2 +- apparmor.d/dirmngr | 4 +- apparmor.d/discord | 2 +- apparmor.d/dpkg-buildpackage | 10 ++++- apparmor.d/dropbox | 4 +- apparmor.d/dumpe2fs | 4 +- apparmor.d/e2fsck | 4 +- apparmor.d/exim4 | 4 +- apparmor.d/exo-compose-mail | 2 +- apparmor.d/firefox | 2 +- apparmor.d/firejail-default | 27 +++++++---- apparmor.d/fsck | 8 ++-- apparmor.d/gnome-keyring-daemon | 4 +- apparmor.d/google-chrome-chrome | 2 +- apparmor.d/gparted | 6 +-- apparmor.d/gpartedbin | 8 ++-- apparmor.d/gpg | 18 ++++++++ apparmor.d/gpg-agent | 2 +- apparmor.d/hw-probe | 4 +- apparmor.d/hwinfo | 2 +- apparmor.d/ifup | 6 +-- apparmor.d/initd-kexec | 4 +- apparmor.d/initd-kexec-load | 4 +- apparmor.d/initd-kmod | 4 +- apparmor.d/inxi | 4 +- apparmor.d/ip | 6 +-- apparmor.d/kconfig-hardened-check | 5 +++ apparmor.d/keepassxc | 10 ++--- apparmor.d/keepassxc-proxy | 4 +- apparmor.d/kodi | 2 +- apparmor.d/light-locker | 6 +-- apparmor.d/lightdm | 4 +- apparmor.d/lintian | 27 ++++++++++- apparmor.d/lsblk | 2 +- apparmor.d/lsusb | 4 +- apparmor.d/mke2fs | 4 +- apparmor.d/mount | 6 +-- apparmor.d/mpv | 8 ++-- apparmor.d/mumble | 4 +- apparmor.d/networkctl | 6 +-- apparmor.d/nvidia_modprobe | 2 + apparmor.d/openvpn | 2 +- apparmor.d/opera | 2 +- apparmor.d/polkitd | 4 +- apparmor.d/ps | 2 +- apparmor.d/psi-plus | 2 +- apparmor.d/pulseaudio | 12 ++--- apparmor.d/quiterss | 2 +- apparmor.d/rsyslogd | 4 +- apparmor.d/scdaemon | 6 +-- apparmor.d/sddm | 16 +++---- apparmor.d/sddm-greeter | 2 +- apparmor.d/sddm-xsession | 2 +- apparmor.d/ssh-agent | 2 +- apparmor.d/strawberry | 4 +- apparmor.d/sudo | 6 +-- apparmor.d/synaptic | 2 +- apparmor.d/systemd-analyze | 8 ++-- apparmor.d/systemd-fsck | 2 +- apparmor.d/systemd-fsckd | 2 +- apparmor.d/systemd-journald | 28 ++++++------ apparmor.d/systemd-networkd | 16 +++---- apparmor.d/systemd-networkd-wait-online | 2 +- apparmor.d/systemd-rfkill | 4 +- apparmor.d/systemd-timesyncd | 4 +- apparmor.d/thinkfan | 2 +- apparmor.d/tunables/global | 1 + apparmor.d/tunables/run | 1 + apparmor.d/tune2fs | 4 +- apparmor.d/ucf | 2 +- apparmor.d/udevadm | 6 +-- apparmor.d/udisksd | 20 ++++----- apparmor.d/umount | 6 +-- apparmor.d/updatedb-mlocate | 2 +- apparmor.d/upowerd | 16 +++---- apparmor.d/usbguard-applet-qt | 2 +- apparmor.d/usbguard-daemon | 2 +- apparmor.d/usr.bin.irssi | 11 ++--- apparmor.d/usr.bin.pidgin | 2 - apparmor.d/usr.bin.totem | 5 +++ apparmor.d/usr.sbin.apt-cacher-ng | 2 + apparmor.d/usr.sbin.dnsmasq | 8 ++-- apparmor.d/virt-manager | 10 ++--- apparmor.d/vlc | 12 ++--- apparmor.d/wpa-gui | 2 +- apparmor.d/wpa-supplicant | 6 +-- apparmor.d/wpa_cli | 2 +- apparmor.d/x11-xsession | 2 +- apparmor.d/xinit | 2 +- apparmor.d/xorg | 32 ++++++------- 134 files changed, 496 insertions(+), 339 deletions(-) create mode 100644 apparmor.d/abstractions/dbus-network-manager-strict create mode 100644 apparmor.d/abstractions/hosts_access create mode 100644 apparmor.d/tunables/run diff --git a/apparmor.d/abstractions/X b/apparmor.d/abstractions/X index 5c9a4b20..194e81d5 100644 --- a/apparmor.d/abstractions/X +++ b/apparmor.d/abstractions/X @@ -22,11 +22,12 @@ # .Xauthority files required for X connections, per user owner @{HOME}/.Xauthority r, owner @{HOME}/.local/share/sddm/.Xauthority r, - owner /{,var/}run/gdm{,3}/*/database r, - owner /{,var/}run/lightdm/authority/[0-9]* r, - owner /{,var/}run/lightdm/*/xauthority r, - owner /{,var/}run/user/*/gdm/Xauthority r, - owner /{,var/}run/user/*/X11/Xauthority r, + owner @{run}/gdm{,3}/*/database r, + owner @{run}/lightdm/authority/[0-9]* r, + owner @{run}/lightdm/*/xauthority r, + owner @{run}/user/*/gdm/Xauthority r, + owner @{run}/user/*/X11/Xauthority r, + owner @{run}/user/*/xauth_* r, # the unix socket to use to connect to the display /tmp/.X11-unix/* rw, diff --git a/apparmor.d/abstractions/dbus-network-manager-strict b/apparmor.d/abstractions/dbus-network-manager-strict new file mode 100644 index 00000000..889a9a85 --- /dev/null +++ b/apparmor.d/abstractions/dbus-network-manager-strict @@ -0,0 +1,45 @@ +# vim:syntax=apparmor + + dbus send + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetDevices + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/Devices/[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/Settings + interface=org.freedesktop.NetworkManager.Settings + member={GetDevices,ListConnections} + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=org.freedesktop.NetworkManager), + + #include if exists diff --git a/apparmor.d/abstractions/deny-dconf b/apparmor.d/abstractions/deny-dconf index 9cfea1e7..bc7683bc 100644 --- a/apparmor.d/abstractions/deny-dconf +++ b/apparmor.d/abstractions/deny-dconf @@ -16,7 +16,7 @@ # When this is blocked, expect lots of the following errors: # dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. # dconf will not work properly. - deny owner /{var/,}run/user/[0-9]*/dconf/{,**} rw, + deny owner @{run}/user/[0-9]*/dconf/{,**} rw, deny owner @{HOME}/.config/dconf/{,**} rw, deny owner @{HOME}/.cache/dconf/{,**} rw, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 2ef3363e..288af63c 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -60,27 +60,27 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk* - /{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr* - /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd* - /{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # for ? + @{run}/udev/data/+usb:* r, # for ? diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index c6932073..42bce3d7 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -60,27 +60,27 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices - /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk* - /{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr* - /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd* - /{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* + @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # for ? + @{run}/udev/data/+usb:* r, # for ? diff --git a/apparmor.d/abstractions/exo-open b/apparmor.d/abstractions/exo-open index 466fa65b..6b14afa5 100644 --- a/apparmor.d/abstractions/exo-open +++ b/apparmor.d/abstractions/exo-open @@ -65,7 +65,10 @@ /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r, # User files - owner @{HOME}/.local/share/xfce4/helpers/*.desktop r, owner @{PROC}/@{pid}/fd/ r, owner @{HOME}/.config/xfce4/helpers.rc r, + owner @{HOME}/.local/share/xfce4/helpers/*.desktop r, + + # Include additions to the abstraction + #include if exists diff --git a/apparmor.d/abstractions/fonts b/apparmor.d/abstractions/fonts index e34fb0cc..5d7b173e 100644 --- a/apparmor.d/abstractions/fonts +++ b/apparmor.d/abstractions/fonts @@ -14,8 +14,7 @@ /usr/lib/xorg/modules/fonts/**.so* mr, - /usr/share/fonts/ r, - /usr/share/fonts/** r, + /usr/share/fonts/{,**} r, /usr/share/fonts-*/{,**} r, /etc/fonts/** r, diff --git a/apparmor.d/abstractions/gio-open b/apparmor.d/abstractions/gio-open index 91c866df..ec6b1873 100644 --- a/apparmor.d/abstractions/gio-open +++ b/apparmor.d/abstractions/gio-open @@ -52,3 +52,6 @@ owner @{HOME}/.config/mimeapps.list r, owner @{HOME}/.local/share/applications/{,*.desktop} r, owner @{PROC}/@{pid}/fd/ r, + + # Include additions to the abstraction + #include if exists diff --git a/apparmor.d/abstractions/gnome b/apparmor.d/abstractions/gnome index 65811c04..5bb2fc26 100644 --- a/apparmor.d/abstractions/gnome +++ b/apparmor.d/abstractions/gnome @@ -26,6 +26,7 @@ /usr/lib/@{multiarch}/gtk-[0-9]*/** mr, /usr/share/themes/ r, /usr/share/themes/** r, + /usr/share/gtk-3.0/settings.ini r, # for gnome 1 applications /etc/orbitrc r, @@ -87,6 +88,7 @@ /usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/* r, @{PROC}/@{pid}/mounts r, + /run/mount/utab r, # printing /etc/papersize r, diff --git a/apparmor.d/abstractions/gvfs-open b/apparmor.d/abstractions/gvfs-open index 2b1237ca..397423da 100644 --- a/apparmor.d/abstractions/gvfs-open +++ b/apparmor.d/abstractions/gvfs-open @@ -40,3 +40,6 @@ /usr/bin/gvfs-open r, /{,usr/}bin/dash mr, + + # Include additions to the abstraction + #include if exists diff --git a/apparmor.d/abstractions/hosts_access b/apparmor.d/abstractions/hosts_access new file mode 100644 index 00000000..a4ffb022 --- /dev/null +++ b/apparmor.d/abstractions/hosts_access @@ -0,0 +1,13 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + /etc/hosts.deny r, + /etc/hosts.allow r, diff --git a/apparmor.d/abstractions/kde-open5 b/apparmor.d/abstractions/kde-open5 index f385cf64..4fb651ea 100644 --- a/apparmor.d/abstractions/kde-open5 +++ b/apparmor.d/abstractions/kde-open5 @@ -33,7 +33,7 @@ # # # Add if audio support for message box is # # considered as required. -# include if exists +# #include if exists # # # < add additional allowed applications here > # } @@ -100,3 +100,5 @@ owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) owner @{HOME}/.cache/kio_http/ rw, + # Include additions to the abstraction + #include if exists diff --git a/apparmor.d/abstractions/kde5-plasma5 b/apparmor.d/abstractions/kde5-plasma5 index 30c4493f..e0f13103 100644 --- a/apparmor.d/abstractions/kde5-plasma5 +++ b/apparmor.d/abstractions/kde5-plasma5 @@ -28,8 +28,8 @@ # includes this abstraction) #owner @{HOME}/.config/#[0-9]*[0-9] rwk, #owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9], - #owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw, - #owner /{var/,}run/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9], + #owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw, + #owner @{run}/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9], # Common KDE config files #owner @{HOME}/.config/#[0-9]*[0-9] rw, @@ -57,9 +57,9 @@ #deny @{sys}/bus/ r, #deny @{sys}/bus/usb/devices/ r, #deny @{sys}/class/ r, - #deny /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc. - #deny /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc. - #deny /{var/,}run/udev/data/+usb:* r, # + #deny @{run}/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc. + #deny @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc. + #deny @{run}/udev/data/+usb:* r, # #/etc/exports r, #/etc/xdg/menus/ r, #/usr/share/mime/ r, diff --git a/apparmor.d/abstractions/mdns b/apparmor.d/abstractions/mdns index e05ef3a4..14c31b8c 100644 --- a/apparmor.d/abstractions/mdns +++ b/apparmor.d/abstractions/mdns @@ -9,5 +9,6 @@ # ------------------------------------------------------------------ # mdnsd + /etc/mdns.allow r, /etc/nss_mdns.conf r, /{,var/}run/mdnsd w, diff --git a/apparmor.d/abstractions/nameservice b/apparmor.d/abstractions/nameservice index cf34167e..a78a874d 100644 --- a/apparmor.d/abstractions/nameservice +++ b/apparmor.d/abstractions/nameservice @@ -30,8 +30,8 @@ /var/lib/extrausers/passwd r, # NSS records from systemd-userdbd.service - /{,var/}run/systemd/userdb/ r, - /{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, @{PROC}/sys/kernel/random/boot_id r, # When using sssd, the passwd and group files are stored in an alternate path diff --git a/apparmor.d/abstractions/postfix-common b/apparmor.d/abstractions/postfix-common index 3dc599af..b10f888f 100644 --- a/apparmor.d/abstractions/postfix-common +++ b/apparmor.d/abstractions/postfix-common @@ -1,7 +1,8 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE -# Copyright (C) 2015 Canonical, Ltd. +# Copyright (C) 2015-2018 Canonical, Ltd. +# Copyright (C) 2020 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -31,6 +32,7 @@ /usr/lib{,32,64}/sasl2/ r, /usr/lib/@{multiarch}/sasl2/* mr, /usr/lib/@{multiarch}/sasl2/ r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/spool/postfix/etc/* r, /var/spool/postfix/lib/lib*.so* mr, diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash index 78b42f10..4b686ce9 100644 --- a/apparmor.d/abstractions/trash +++ b/apparmor.d/abstractions/trash @@ -16,8 +16,8 @@ owner @{HOME}/.config/#[0-9]*[0-9] rwk, owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], - owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw, - owner /{var/,}run/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9], + owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw, + owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9], # Home trash location owner @{HOME}/.local/share/Trash/ rw, diff --git a/apparmor.d/abstractions/vulkan b/apparmor.d/abstractions/vulkan index 7f0d8cb9..04c8ec26 100644 --- a/apparmor.d/abstractions/vulkan +++ b/apparmor.d/abstractions/vulkan @@ -3,10 +3,15 @@ # System files /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa) + /etc/glvnd/egl_vendor.d/{*,.json} r, /etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r, # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa) @{sys}/devices/pci[0-9]*/*/drm/ r, + @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so + @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so + @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so + /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/vulkan/icd.d/{,*.json} r, /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r, diff --git a/apparmor.d/abstractions/wayland b/apparmor.d/abstractions/wayland index 045865eb..384c7aeb 100644 --- a/apparmor.d/abstractions/wayland +++ b/apparmor.d/abstractions/wayland @@ -12,6 +12,6 @@ #abi , - owner /{,var/}run/user/[0-9]*/weston-shared-* rw, - owner /{,var/}run/user/[0-9]*/wayland-[0-9]* rw, - owner /{,var/}run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, + owner @{run}/user/[0-9]*/weston-shared-* rw, + owner @{run}/user/[0-9]*/wayland-[0-9]* rw, + owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, diff --git a/apparmor.d/abstractions/xdg-open b/apparmor.d/abstractions/xdg-open index a7692fae..67da04a4 100644 --- a/apparmor.d/abstractions/xdg-open +++ b/apparmor.d/abstractions/xdg-open @@ -24,7 +24,7 @@ # # # Enable gstreamer support if considered required by # # profile author for (rare) error message boxes. -# include if exists +# #include if exists # # # needed for ubuntu-* abstractions # #include @@ -79,3 +79,6 @@ # Usr files owner @{HOME}/.local/share/applications/{,*.desktop} r, + + # Include additions to the abstraction + #include if exists diff --git a/apparmor.d/amarok b/apparmor.d/amarok index e0bc6ee2..1575916b 100644 --- a/apparmor.d/amarok +++ b/apparmor.d/amarok @@ -142,7 +142,7 @@ profile amarok @{exec_path} { /usr/share/icons/*/index.theme rk, - /{var/,}run/user/[0-9]*/ksocket-*/amarok*.slave-socket rw, + @{run}/user/[0-9]*/ksocket-*/amarok*.slave-socket rw, # What's this for? deny /etc/mysql/** r, @@ -162,7 +162,7 @@ profile amarok @{exec_path} { deny @{sys}/devices/virtual/sound/seq/uevent r, deny @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{manufacturer,product,uevent,type} r, deny @{sys}/devices/system/node/ r, - deny /{,var/}run/udev/data/* r, + deny @{run}/udev/data/* r, # To generate the crash log info in Amarok /{usr/,}bin/gdb rCx -> gdb, diff --git a/apparmor.d/apt-cdrom b/apparmor.d/apt-cdrom index f9ec2bf6..217004ca 100644 --- a/apparmor.d/apt-cdrom +++ b/apparmor.d/apt-cdrom @@ -34,7 +34,7 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, /etc/fstab r, @@ -80,8 +80,8 @@ profile apt-cdrom @{exec_path} flags=(complain) { /{usr/,}bin/umount mr, - /{var/,}run/mount/utab{,.*} rw, - /{var/,}run/mount/utab.lock rwk, + @{run}/mount/utab{,.*} rw, + @{run}/mount/utab.lock rwk, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/aptitude b/apparmor.d/aptitude index 60a3e772..c04bde3f 100644 --- a/apparmor.d/aptitude +++ b/apparmor.d/aptitude @@ -146,7 +146,7 @@ profile aptitude @{exec_path} flags=(complain) { /var/lib/debtags/vocabulary r, /{usr/,}bin/su rPx, - /{var/,}run/lock/aptitude rwk, + @{run}/lock/aptitude rwk, /usr/share/aptitude/ r, /usr/share/aptitude/* r, /var/lib/aptitude/pkgstates{,.old,.new} rw, diff --git a/apparmor.d/blkid b/apparmor.d/blkid index 2fe0ffb9..0dbe7cce 100644 --- a/apparmor.d/blkid +++ b/apparmor.d/blkid @@ -25,8 +25,8 @@ profile blkid @{exec_path} { # The standard location of the cache file # Without owner here if this tool should be used as a regular user - /{,var/}run/blkid/blkid.tab{,-*} rw, - /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + @{run}/blkid/blkid.tab{,-*} rw, + @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # When the system doesn't have the /run/ dir, the cache file is placed under /etc/ /etc/blkid.tab{,-*} rw, /etc/blkid.tab.old rwl -> /etc/blkid.tab, diff --git a/apparmor.d/bluetoothd b/apparmor.d/bluetoothd index b7db1f1b..5c5bfe76 100644 --- a/apparmor.d/bluetoothd +++ b/apparmor.d/bluetoothd @@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} { /dev/rfkill rw, /dev/hidraw[0-9]* rw, - /{,var/}run/sdp rw, + @{run}/sdp rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/platform/**/rfkill/**/name r, diff --git a/apparmor.d/brave b/apparmor.d/brave index 63e3921d..e5af3ffe 100644 --- a/apparmor.d/brave +++ b/apparmor.d/brave @@ -172,7 +172,7 @@ profile brave @{exec_path} { @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - /{,var/}run/udev/data/* r, + @{run}/udev/data/* r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, diff --git a/apparmor.d/btrfs b/apparmor.d/btrfs index e54fd8a0..35093b74 100644 --- a/apparmor.d/btrfs +++ b/apparmor.d/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} { @{exec_path} mr, - /{var/,}run/blkid/blkid.tab{,-*} rw, - /{var/,}run/blkid/blkid.tab.old rwl -> /run/blkid/blkid.tab, + @{run}/blkid/blkid.tab{,-*} rw, + @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/btrfstune b/apparmor.d/btrfstune index 146a62a7..c799f57f 100644 --- a/apparmor.d/btrfstune +++ b/apparmor.d/btrfstune @@ -23,8 +23,8 @@ profile btrfstune @{exec_path} { @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, - owner /{,var/}run/blkid/blkid.tab{,-*} rw, - owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, #include if exists } diff --git a/apparmor.d/calibre b/apparmor.d/calibre index 1074ec35..92e6535d 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -156,8 +156,8 @@ profile calibre @{exec_path} { @{sys}/devices/pci[0-9]*/**/irq r, - /{,var/}run/udev/data/+usb* r, # - /{,var/}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/+usb* r, # + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** /dev/shm/ r, /dev/shm/#[0-9]*[0-9] rw, diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird index a7352d53..f7d44058 100644 --- a/apparmor.d/cawbird +++ b/apparmor.d/cawbird @@ -50,7 +50,7 @@ profile cawbird @{exec_path} { # This is needed as cawbird stores its settings in the dconf database. #include - /{var/,}run/user/[0-9]*/dconf/user rw, + @{run}/user/[0-9]*/dconf/user rw, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -60,7 +60,7 @@ profile cawbird @{exec_path} { # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. - owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + owner @{run}/user/[0-9]*/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, diff --git a/apparmor.d/cfdisk b/apparmor.d/cfdisk index 01b14509..cea54cf9 100644 --- a/apparmor.d/cfdisk +++ b/apparmor.d/cfdisk @@ -27,8 +27,8 @@ profile cfdisk @{exec_path} { /etc/fstab r, - owner /{,var/}run/blkid/blkid.tab{,-*} rw, - owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, diff --git a/apparmor.d/cgrulesengd b/apparmor.d/cgrulesengd index b4d71003..83443fdd 100644 --- a/apparmor.d/cgrulesengd +++ b/apparmor.d/cgrulesengd @@ -43,7 +43,7 @@ profile cgrulesengd @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/cgroups r, - owner /{var/,}run/cgred.socket w, + owner @{run}/cgred.socket w, /etc/cgconfig.conf r, /etc/cgrules.conf r, diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium index 0dab0c8f..7b652637 100644 --- a/apparmor.d/chromium-chromium +++ b/apparmor.d/chromium-chromium @@ -149,7 +149,7 @@ profile chromium-chromium @{exec_path} { @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - /{,var/}run/udev/data/* r, + @{run}/udev/data/* r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, diff --git a/apparmor.d/code b/apparmor.d/code index 0fd838ca..fc7690db 100644 --- a/apparmor.d/code +++ b/apparmor.d/code @@ -133,8 +133,8 @@ profile code @{exec_path} { owner "/tmp/VSCode Crashes/" rw, owner /tmp/vscode-typescript[0-9]*/ rw, - owner /{var/,}run/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw, - owner /{var/,}run/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw, + owner @{run}/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw, + owner @{run}/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw, owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw, # For installing extensions diff --git a/apparmor.d/colord b/apparmor.d/colord index 08ae8d16..f13da5f7 100644 --- a/apparmor.d/colord +++ b/apparmor.d/colord @@ -39,8 +39,8 @@ profile colord @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/colord-sane b/apparmor.d/colord-sane index d1fa9c53..842c1367 100644 --- a/apparmor.d/colord-sane +++ b/apparmor.d/colord-sane @@ -38,8 +38,8 @@ profile colord-sane @{exec_path} flags=(complain) { @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,busnum,devnum,speed,descriptors} r, @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # @{PROC}/sys/dev/parport/ r, diff --git a/apparmor.d/cron b/apparmor.d/cron index 4eee4614..85673b3c 100644 --- a/apparmor.d/cron +++ b/apparmor.d/cron @@ -61,8 +61,8 @@ profile cron @{exec_path} { /var/spool/cron/crontabs/{,*} r, - owner /{,var/}run/crond.pid rwk, - owner /{,var/}run/crond.reboot rw, + owner @{run}/crond.pid rwk, + owner @{run}/crond.reboot rw, owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/cron-apt-listbugs b/apparmor.d/cron-apt-listbugs index 0ee72b1d..f1f1b3ec 100644 --- a/apparmor.d/cron-apt-listbugs +++ b/apparmor.d/cron-apt-listbugs @@ -22,7 +22,7 @@ profile cron-apt-listbugs @{exec_path} { /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean, - /{var/,}run/systemd/system r, + @{run}/systemd/system r, profile prefclean { diff --git a/apparmor.d/cron-mlocate b/apparmor.d/cron-mlocate index 3a677dd1..fecc519e 100644 --- a/apparmor.d/cron-mlocate +++ b/apparmor.d/cron-mlocate @@ -31,7 +31,7 @@ profile cron-mlocate @{exec_path} { /{usr/,}bin/updatedb.mlocate rPx, /{usr/,}sbin/on_ac_power rPx, - /{var/,}run/mlocate.daily.lock rwk, + @{run}/mlocate.daily.lock rwk, #include if exists } diff --git a/apparmor.d/dbus-daemon b/apparmor.d/dbus-daemon index 2c319bd7..4a126d20 100644 --- a/apparmor.d/dbus-daemon +++ b/apparmor.d/dbus-daemon @@ -40,9 +40,9 @@ profile dbus-daemon @{exec_path} { /usr/share/defaults/**.conf r, - /{var/,}run/systemd/users/[0-9]* r, - owner /{var/,}run/user/[0-9]*/dbus-1/ rw, - owner /{var/,}run/user/[0-9]*/dbus-1/services/ rw, + @{run}/systemd/users/[0-9]* r, + owner @{run}/user/[0-9]*/dbus-1/ rw, + owner @{run}/user/[0-9]*/dbus-1/services/ rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/dconf-editor b/apparmor.d/dconf-editor index dbe45ef7..7f83c13d 100644 --- a/apparmor.d/dconf-editor +++ b/apparmor.d/dconf-editor @@ -25,8 +25,8 @@ profile dconf-editor @{exec_path} { @{exec_path} mr, - owner /{var/,}run/user/[0-9]*/dconf/ rw, - owner /{var/,}run/user/[0-9]*/dconf/user rw, + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, # When GSETTINGS_BACKEND=keyfile owner @{HOME}/.config/glib-2.0/ rw, diff --git a/apparmor.d/dconf-service b/apparmor.d/dconf-service index 64006b68..29a49a91 100644 --- a/apparmor.d/dconf-service +++ b/apparmor.d/dconf-service @@ -22,8 +22,8 @@ profile dconf-service @{exec_path} { @{exec_path} mr, - owner /{,var/}run/user/[0-9]*/dconf/ rw, - owner /{,var/}run/user/[0-9]*/dconf/user rw, + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, owner @{HOME}/.config/dconf/ rw, owner @{HOME}/.config/dconf/user{,.*} rw, diff --git a/apparmor.d/ddclient b/apparmor.d/ddclient index 391b865f..d5bc7658 100644 --- a/apparmor.d/ddclient +++ b/apparmor.d/ddclient @@ -29,7 +29,7 @@ profile ddclient @{exec_path} { /etc/ddclient.conf r, - /{,var/}run/ddclient.pid rw, + @{run}/ddclient.pid rw, /var/cache/ddclient/ddclient.cache rw, diff --git a/apparmor.d/dhclient b/apparmor.d/dhclient index a4977591..462b3814 100644 --- a/apparmor.d/dhclient +++ b/apparmor.d/dhclient @@ -40,8 +40,8 @@ profile dhclient @{exec_path} { /etc/dhcp/{,**} r, /var/lib/dhcp{,3}/dhclient* rw, - owner /{,var/}run/dhclient*.pid rw, - owner /{,var/}run/dhclient*.lease* rw, + owner @{run}/dhclient*.pid rw, + owner @{run}/dhclient*.lease* rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script index b2ce161d..070c8575 100644 --- a/apparmor.d/dhclient-script +++ b/apparmor.d/dhclient-script @@ -86,7 +86,7 @@ profile dhclient-script @{exec_path} { owner /tmp/variables.txt w, # For ntpd/ntpsec - /{var/,}run/systemd/netif/leases/ r, + @{run}/systemd/netif/leases/ r, # file_inherit /var/lib/dhcp/dhclient.leases r, diff --git a/apparmor.d/dirmngr b/apparmor.d/dirmngr index 06355628..b125fe6e 100644 --- a/apparmor.d/dirmngr +++ b/apparmor.d/dirmngr @@ -29,8 +29,8 @@ profile dirmngr @{exec_path} { /usr/share/gnupg/sks-keyservers.netCA.pem r, - owner /{var/,}run/user/[0-9]*/gnupg/ rw, - owner /{var/,}run/user/[0-9]*/gnupg/S.dirmngr rw, + owner @{run}/user/[0-9]*/gnupg/ rw, + owner @{run}/user/[0-9]*/gnupg/S.dirmngr rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/discord b/apparmor.d/discord index 18904ec0..26d5ed98 100644 --- a/apparmor.d/discord +++ b/apparmor.d/discord @@ -125,7 +125,7 @@ profile discord @{exec_path} { owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner /{var/,}run/user/[0-9]*/discord-ipc-[0-9] rw, + owner @{run}/user/[0-9]*/discord-ipc-[0-9] rw, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/dpkg-buildpackage b/apparmor.d/dpkg-buildpackage index 0b776896..7c9cfd32 100644 --- a/apparmor.d/dpkg-buildpackage +++ b/apparmor.d/dpkg-buildpackage @@ -66,10 +66,16 @@ profile dpkg-buildpackage @{exec_path} flags=(complain) { /{usr/,}bin/patch rix, /{usr/,}bin/diff rix, + /{usr/,}bin/gpg rix, + /{usr/,}bin/gpgv rix, + /{usr/,}bin/gpg-agent rix, + /etc/dpkg/origins/debian r, - owner /tmp/*.diff.* rw, - owner /tmp/* rw, + owner /tmp/** rwkl -> /tmp/**, + owner @{run}/user/[0-9]*/gnupg/** w, + + @{PROC}/@{pid}/fd/ r, /usr/share/dpkg/tupletable r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/dropbox b/apparmor.d/dropbox index 13a4721f..b47fc0a8 100644 --- a/apparmor.d/dropbox +++ b/apparmor.d/dropbox @@ -83,7 +83,7 @@ profile dropbox @{exec_path} { @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, @{sys}/devices/virtual/block/loop[0-9]/ r, @{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r, - /{,var/}run/mount/utab r, + @{run}/mount/utab r, deny @{PROC}/ r, # Dropbox doesn't sync without the 'stat' file @@ -117,7 +117,7 @@ profile dropbox @{exec_path} { owner /tmp/#[0-9]*[0-9] rw, owner /var/tmp/etilqs_* rw, - /{,var/}run/systemd/users/[0-9]* r, + @{run}/systemd/users/[0-9]* r, deny @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/dumpe2fs b/apparmor.d/dumpe2fs index b663845a..0abb92a0 100644 --- a/apparmor.d/dumpe2fs +++ b/apparmor.d/dumpe2fs @@ -21,8 +21,8 @@ profile dumpe2fs @{exec_path} { @{exec_path} mr, - owner /{,var/}run/blkid/blkid.tab{,-*} rw, - owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # Image files @{HOME}/** r, diff --git a/apparmor.d/e2fsck b/apparmor.d/e2fsck index 1ae7e81b..355f4824 100644 --- a/apparmor.d/e2fsck +++ b/apparmor.d/e2fsck @@ -25,8 +25,8 @@ profile e2fsck @{exec_path} { /{usr/,}bin/dash rix, /{usr/,}sbin/badblocks rPx, - owner /{,var/}run/blkid/blkid.tab{,-*} rw, - owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/exim4 b/apparmor.d/exim4 index 52fdd845..c68ebf3e 100644 --- a/apparmor.d/exim4 +++ b/apparmor.d/exim4 @@ -51,9 +51,9 @@ profile exim4 @{exec_path} { owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w, owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*, - owner /{,var/}run/exim4/exim.pid rw, + owner @{run}/exim4/exim.pid rw, - owner /{,var/}run/dbus/system_bus_socket rw, + owner @{run}/dbus/system_bus_socket rw, # file_inherit /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/exo-compose-mail b/apparmor.d/exo-compose-mail index fe3e96f0..b23968b8 100644 --- a/apparmor.d/exo-compose-mail +++ b/apparmor.d/exo-compose-mail @@ -22,7 +22,7 @@ profile exo-compose-mail @{exec_path} { /{usr/,}bin/perl r, # Mail clients - /usr/bin/thunderbird rPx, + /{usr/,}bin/thunderbird rPx, /{usr/,}lib/thunderbird/thunderbird rPx, /{usr/,}lib/thunderbird/thunderbird-bin rPx, diff --git a/apparmor.d/firefox b/apparmor.d/firefox index 7e9c8bcb..dd2568f5 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -204,7 +204,7 @@ profile firefox @{exec_path} { /{usr/,}bin/telegram-desktop rPx, /{usr/,}bin/spacefm rPx, /{usr/,}bin/qpdfview rPx, - /{usr/,}share/xfce4/exo/exo-compose-mail rPx, + /usr/share/xfce4/exo/exo-compose-mail rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/firejail-default b/apparmor.d/firejail-default index e7ded1ed..e396ae7d 100644 --- a/apparmor.d/firejail-default +++ b/apparmor.d/firejail-default @@ -2,6 +2,10 @@ # Generic Firejail AppArmor profile ######################################### +# AppArmor 3.0 uses the @{run} variable in +# and . +#include + ########## # A simple PID declaration based on Ubuntu's @{pid} # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. @@ -19,6 +23,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { #include #include dbus, +# Add rule in order to avoid dbus-*=filter breakage (#3432) +owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, ########## # With ptrace it is possible to inspect and hijack running programs. @@ -47,6 +53,10 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, +# Allow writing to /var/mail and /var/spool/mail (for mail clients) +# Uncomment to enable +#owner /var/{mail,spool/mail}/** w, + # Allow writing to removable media owner /{,var/}run/media/** w, @@ -60,18 +70,17 @@ owner /{,var/}run/media/** w, # Allow access to pcscd socket (smartcards) /{,var/}run/pcscd/pcscd.comm w, -# Needed for firefox sandbox -/proc/@{PID}/{uid_map,gid_map,setgroups} w, +# Needed for browser self-sandboxing +owner /proc/@{PID}/{uid_map,gid_map,setgroups} w, # Needed for electron apps /proc/@{PID}/comm w, +# Needed for nslookup, dig, host +/proc/@{PID}/task/@{PID}/comm w, -# Silence noise -deny /proc/@{PID}/oom_adj w, -deny /proc/@{PID}/oom_score_adj w, - -# Uncomment to silence all denied write warnings -#deny /sys/** w, +# Used by chromium +owner /proc/@{PID}/oom_score_adj w, +owner /proc/@{PID}/clear_refs w, ########## # Allow running programs only from well-known system directories. If you need @@ -80,7 +89,7 @@ deny /proc/@{PID}/oom_score_adj w, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, -/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix, +/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, #/{,run/firejail/mnt/oroot/}home/** ix, diff --git a/apparmor.d/fsck b/apparmor.d/fsck index b5673596..97b6a11a 100644 --- a/apparmor.d/fsck +++ b/apparmor.d/fsck @@ -28,16 +28,16 @@ profile fsck @{exec_path} { @{PROC}/partitions r, owner @{PROC}/@{pid}/mountinfo r, - owner /{,var/}run/fsck/ rw, - owner /{,var/}run/fsck/*.lock rwk, + owner @{run}/fsck/ rw, + owner @{run}/fsck/*.lock rwk, # When a mount dir is passed to fsck as an argument. /media/*/ r, /boot/ r, /home/ r, - owner /{,var/}run/blkid/blkid.tab{,-*} rw, - owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, #include if exists } diff --git a/apparmor.d/gnome-keyring-daemon b/apparmor.d/gnome-keyring-daemon index ee909354..6c282383 100644 --- a/apparmor.d/gnome-keyring-daemon +++ b/apparmor.d/gnome-keyring-daemon @@ -32,8 +32,8 @@ profile gnome-keyring-daemon @{exec_path} { owner @{HOME}/.ssh/ r, owner @{HOME}/.ssh/** r, - owner /{,var/}run/user/[0-9]*/keyring/ rw, - owner /{,var/}run/user/[0-9]*/keyring/* rw, + owner @{run}/user/[0-9]*/keyring/ rw, + owner @{run}/user/[0-9]*/keyring/* rw, #include if exists } diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome index 7c1e3b9c..cd962e24 100644 --- a/apparmor.d/google-chrome-chrome +++ b/apparmor.d/google-chrome-chrome @@ -157,7 +157,7 @@ profile google-chrome-chrome @{exec_path} { @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - /{,var/}run/udev/data/* r, + @{run}/udev/data/* r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, diff --git a/apparmor.d/gparted b/apparmor.d/gparted index bae81d0c..856f6e3a 100644 --- a/apparmor.d/gparted +++ b/apparmor.d/gparted @@ -29,8 +29,8 @@ profile gparted @{exec_path} { /{usr/,}lib/udisks2/udisks2-inhibit rix, /usr/libexec/udisks2/udisks2-inhibit rix, - /{var/,}run/udev/rules.d/ rw, - /{var/,}run/udev/rules.d/90-udisks-inhibit.rules rw, + @{run}/udev/rules.d/ rw, + @{run}/udev/rules.d/90-udisks-inhibit.rules rw, /{usr/,}bin/udevadm rCx -> udevadm, @@ -63,7 +63,7 @@ profile gparted @{exec_path} { @{sys}/** r, @{sys}/devices/virtual/block/**/uevent rw, @{sys}/devices/pci[0-9]*/**/block/**/uevent rw, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, } diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin index 0eea5cc7..3d53afd0 100644 --- a/apparmor.d/gpartedbin +++ b/apparmor.d/gpartedbin @@ -134,7 +134,7 @@ profile gpartedbin @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - /{var/,}run/mount/utab r, + @{run}/mount/utab r, # For fsck of the btrfs filesystem owner /tmp/gparted-*/ rw, @@ -181,9 +181,9 @@ profile gpartedbin @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, - owner /{,var/}run/mount/ rw, - owner /{,var/}run/mount/utab{,.*} rw, - owner /{,var/}run/mount/utab.lock wk, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rw, + owner @{run}/mount/utab.lock wk, } diff --git a/apparmor.d/gpg b/apparmor.d/gpg index 8ac11573..f48156df 100644 --- a/apparmor.d/gpg +++ b/apparmor.d/gpg @@ -51,6 +51,24 @@ profile gpg @{exec_path} { # For spamassassin owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**, + # For lintian + owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r, + owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r, + owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw, + owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*/trustdb.gpg rw, + owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*/pubring.kbx rw, + owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/*.gpg rw, + owner /tmp/*.gpg~ w, + owner /tmp/*.gpg.tmp rw, + owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw, + owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, + owner @{run}/user/[0-9]*/gnupg/d.*/ rw, + # Verify files owner @{HOME}/** r, owner /media/*/** r, diff --git a/apparmor.d/gpg-agent b/apparmor.d/gpg-agent index 89c81e38..a2448f02 100644 --- a/apparmor.d/gpg-agent +++ b/apparmor.d/gpg-agent @@ -43,7 +43,7 @@ profile gpg-agent @{exec_path} { # For debuild owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w, - owner /{var/,}run/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, + owner @{run}/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/hw-probe b/apparmor.d/hw-probe index 1102b2ba..8f1f7623 100644 --- a/apparmor.d/hw-probe +++ b/apparmor.d/hw-probe @@ -130,7 +130,7 @@ profile hw-probe @{exec_path} { /{usr/,}bin/journalctl mr, - /{var/,}run/log/ rw, + @{run}/log/ rw, /{run,var}/log/journal/ rw, /{run,var}/log/journal/[0-9a-f]*/ rw, /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, @@ -189,7 +189,7 @@ profile hw-probe @{exec_path} { @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, } diff --git a/apparmor.d/hwinfo b/apparmor.d/hwinfo index f992b95a..d21cd145 100644 --- a/apparmor.d/hwinfo +++ b/apparmor.d/hwinfo @@ -108,7 +108,7 @@ profile hwinfo @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{sys}/** r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, # file_inherit owner /tmp/hwinfo*.txt rw, diff --git a/apparmor.d/ifup b/apparmor.d/ifup index 4ec6da23..eff86866 100644 --- a/apparmor.d/ifup +++ b/apparmor.d/ifup @@ -37,9 +37,9 @@ profile ifup @{exec_path} { /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, - /{var/,}run/network/ rw, - /{var/,}run/network/{.,}ifstate* rwk, - /{var/,}run/network/{ifup,ifdown}-*.pid rw, + @{run}/network/ rw, + @{run}/network/{.,}ifstate* rwk, + @{run}/network/{ifup,ifdown}-*.pid rw, # For setting a USB modem owner /dev/ttyUSB[0-9]* rw, diff --git a/apparmor.d/initd-kexec b/apparmor.d/initd-kexec index 38e6fc37..5bfb5f8d 100644 --- a/apparmor.d/initd-kexec +++ b/apparmor.d/initd-kexec @@ -63,8 +63,8 @@ profile initd-kexec @{exec_path} { /dev/kmsg w, - owner /{var/,}run/systemd/ask-password/ rw, - owner /{var/,}run/systemd/ask-password-block/* rw, + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/* rw, } diff --git a/apparmor.d/initd-kexec-load b/apparmor.d/initd-kexec-load index a9a4e419..92620ba6 100644 --- a/apparmor.d/initd-kexec-load +++ b/apparmor.d/initd-kexec-load @@ -78,8 +78,8 @@ profile initd-kexec-load @{exec_path} { /dev/kmsg w, - owner /{var/,}run/systemd/ask-password/ rw, - owner /{var/,}run/systemd/ask-password-block/* rw, + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/* rw, } diff --git a/apparmor.d/initd-kmod b/apparmor.d/initd-kmod index a4126249..267d1f5b 100644 --- a/apparmor.d/initd-kmod +++ b/apparmor.d/initd-kmod @@ -58,8 +58,8 @@ profile initd-kmod @{exec_path} { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, - owner /{var/,}run/systemd/ask-password/ rw, - owner /{var/,}run/systemd/ask-password-block/* rw, + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/* rw, } diff --git a/apparmor.d/inxi b/apparmor.d/inxi index dc6ac4f7..939daa9d 100644 --- a/apparmor.d/inxi +++ b/apparmor.d/inxi @@ -77,7 +77,7 @@ profile inxi @{exec_path} { @{HOME}/.local/share/xorg/ r, @{HOME}/.local/share/xorg/Xorg.[0-9]*.log r, - /{var/,}run/ r, + @{run}/ r, @{PROC}/asound/ r, @{PROC}/asound/version r, @@ -144,7 +144,7 @@ profile inxi @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{sys}/devices/pci[0-9]*/**/block/**/uevent r, - /{var/,}run/udev/data/b* r, + @{run}/udev/data/b* r, } diff --git a/apparmor.d/ip b/apparmor.d/ip index 5629647a..3432e14c 100644 --- a/apparmor.d/ip +++ b/apparmor.d/ip @@ -35,14 +35,14 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf, mount fstype=sysfs -> /sys/, - umount /{var/,}run/netns/*, + umount @{run}/netns/*, umount /sys/, /etc/iproute2/{,**} r, / r, - owner /{var/,}run/netns/ rw, - /{var/,}run/netns/* rw, + owner @{run}/netns/ rw, + @{run}/netns/* rw, /etc/netns/*/ r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/kconfig-hardened-check b/apparmor.d/kconfig-hardened-check index 72e661e9..58d8fb4b 100644 --- a/apparmor.d/kconfig-hardened-check +++ b/apparmor.d/kconfig-hardened-check @@ -23,8 +23,13 @@ profile kconfig-hardened-check @{exec_path} { /{usr/,}bin/ r, + + # The usual kernel config locations /boot/config-* r, @{PROC}/config.gz r, + # This is for kernels, which are built manually + owner /**/.config r, + #include if exists } diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc index 30d6acba..f31fed9e 100644 --- a/apparmor.d/keepassxc +++ b/apparmor.d/keepassxc @@ -89,8 +89,8 @@ profile keepassxc @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,speed,descriptors} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # /dev/bus/usb/ r, /dev/shm/#[0-9]*[0-9] rw, @@ -100,10 +100,10 @@ profile keepassxc @{exec_path} { owner @{HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, - owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw, - owner /{var/,}run/user/[0-9]*/kpxc_server rw, + owner @{run}/user/[0-9]*/.[a-zA-Z]*/{,s} rw, + owner @{run}/user/[0-9]*/kpxc_server rw, - owner /{var/,}run/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w, + owner @{run}/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/keepassxc-proxy b/apparmor.d/keepassxc-proxy index 0e0e816a..a729a170 100644 --- a/apparmor.d/keepassxc-proxy +++ b/apparmor.d/keepassxc-proxy @@ -24,8 +24,8 @@ profile keepassxc-proxy @{exec_path} { @{exec_path} mr, # file_inherit - deny owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw, - deny owner /{var/,}run/user/[0-9]*/kpxc_server rw, + deny owner @{run}/user/[0-9]*/.[a-zA-Z]*/{,s} rw, + deny owner @{run}/user/[0-9]*/kpxc_server rw, deny /dev/shm/org.chromium.* rw, deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # diff --git a/apparmor.d/kodi b/apparmor.d/kodi index 66e8a19c..47dc35f8 100644 --- a/apparmor.d/kodi +++ b/apparmor.d/kodi @@ -87,7 +87,7 @@ profile kodi @{exec_path} { @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/light-locker b/apparmor.d/light-locker index 08bf6076..108996fa 100644 --- a/apparmor.d/light-locker +++ b/apparmor.d/light-locker @@ -33,14 +33,14 @@ profile light-locker @{exec_path} { owner @{PROC}/@{pid}/cgroup r, # when locking the screen and switching/closing sessions - /{,var/}run/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/[0-9]* r, # To silecne the following error: # dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied. # dconf will not work properly. ##include - #owner /{var/,}run/user/[0-9]*/dconf/ w, - #owner /{var/,}run/user/[0-9]*/dconf/user rw, + #owner @{run}/user/[0-9]*/dconf/ w, + #owner @{run}/user/[0-9]*/dconf/user rw, #include @{sys}/devices/pci[0-9]*/**/uevent r, diff --git a/apparmor.d/lightdm b/apparmor.d/lightdm index cf1f800e..325c6f2a 100644 --- a/apparmor.d/lightdm +++ b/apparmor.d/lightdm @@ -99,8 +99,8 @@ profile lightdm @{exec_path} { /var/log/lightdm/{,**} rw, /var/log/btmp wk, - /{,var/}run/lightdm/{,**} rw, - /{,var/}run/lightdm.pid rw, + @{run}/lightdm/{,**} rw, + @{run}/lightdm.pid rw, @{PROC}/1/limits r, /etc/security/limits.d/ r, diff --git a/apparmor.d/lintian b/apparmor.d/lintian index d7005909..73af3857 100644 --- a/apparmor.d/lintian +++ b/apparmor.d/lintian @@ -53,6 +53,7 @@ profile lintian @{exec_path} flags=(complain) { /{usr/,}bin/filterdiff rix, /{usr/,}bin/lexgrog rix, /{usr/,}bin/mv rix, + /usr/bin/cp rix, /{usr/,}bin/{,@{multiarch}-}ar rix, /{usr/,}bin/{,@{multiarch}-}readelf rix, @@ -65,6 +66,8 @@ profile lintian @{exec_path} flags=(complain) { /{usr/,}bin/man rPx, /{usr/,}bin/dpkg-architecture rPx, + /usr/share/intltool-debian/* rCx -> intltool, + /usr/share/lintian/{,**} rk, /etc/lintianrc r, @@ -85,6 +88,8 @@ profile lintian @{exec_path} flags=(complain) { owner /tmp/*/random_seed w, owner /tmp/* rw, + owner /tmp/lintian-po-debconf-*/ rw, + owner /tmp/lintian-po-debconf-*/** rw, # For pbuilder owner @{BUILD_DIR}/**.{changes,dsc,buildinfo,tar.*,deb} rk, @@ -158,7 +163,27 @@ profile lintian @{exec_path} flags=(complain) { owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw, owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, - owner /{var/,}run/user/[0-9]*/gnupg/d.*/ rw, + owner @{run}/user/[0-9]*/gnupg/d.*/ rw, + + # file_inherit + owner /tmp/* rw, + + } + + + profile intltool flags=(complain) { + #include + #include + + /usr/share/intltool-debian/* mrix, + + /usr/bin/dash rix, + /usr/bin/xgettext rix, + + /usr/share/gettext/** r, + /usr/share/gettext-*/** r, + + owner /tmp/lintian-po-debconf-*/** rw, # file_inherit owner /tmp/* rw, diff --git a/apparmor.d/lsblk b/apparmor.d/lsblk index ccf871a6..3a1be948 100644 --- a/apparmor.d/lsblk +++ b/apparmor.d/lsblk @@ -24,7 +24,7 @@ profile lsblk @{exec_path} { @{PROC}/swaps r, owner @{PROC}/@{pid}/mountinfo r, - /{var/,}run/mount/utab r, + @{run}/mount/utab r, #include if exists } diff --git a/apparmor.d/lsusb b/apparmor.d/lsusb index 41a34d97..0f4a4efa 100644 --- a/apparmor.d/lsusb +++ b/apparmor.d/lsusb @@ -28,8 +28,8 @@ profile lsusb @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r, - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # /etc/udev/hwdb.bin r, diff --git a/apparmor.d/mke2fs b/apparmor.d/mke2fs index 5eca554e..4c5b845c 100644 --- a/apparmor.d/mke2fs +++ b/apparmor.d/mke2fs @@ -30,8 +30,8 @@ profile mke2fs @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, - owner /{,var/}run/blkid/blkid.tab{,-*} rw, - owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # A place for file images owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, diff --git a/apparmor.d/mount b/apparmor.d/mount index 48b0f8fd..13f00521 100644 --- a/apparmor.d/mount +++ b/apparmor.d/mount @@ -56,9 +56,9 @@ profile mount @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/mountinfo r, - owner /{,var/}run/mount/ rw, - owner /{,var/}run/mount/utab{,.*} rw, - owner /{,var/}run/mount/utab.lock wk, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rw, + owner @{run}/mount/utab.lock wk, #include if exists } diff --git a/apparmor.d/mpv b/apparmor.d/mpv index b98e680e..02dce804 100644 --- a/apparmor.d/mpv +++ b/apparmor.d/mpv @@ -132,14 +132,14 @@ profile mpv @{exec_path} { @{sys}/devices/**/input/**/uevent r, @{sys}/devices/**/input/**/capabilities/* r, /dev/input/event[0-9]* r, - /{var/,}run/udev/data/+input:input[0-9]* r, - /{var/,}run/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/+input:input[0-9]* r, + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* # @{sys}/class/sound/ r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/**/sound/**/capabilities/* r, - /{var/,}run/udev/data/+sound:* r, - /{var/,}run/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/+sound:* r, + @{run}/udev/data/c116:[0-9]* r, # for ALSA # Be able to turn off the screensaver while playing movies /{usr/,}bin/xdg-screensaver rPUx, diff --git a/apparmor.d/mumble b/apparmor.d/mumble index 814bded5..94ae5427 100644 --- a/apparmor.d/mumble +++ b/apparmor.d/mumble @@ -55,8 +55,8 @@ profile mumble @{exec_path} { /dev/shm/MumbleLink.[0-9]*[0-9] rw, /dev/shm/#[0-9]*[0-9] rw, - owner /{var/,}run/user/[0-9]*/MumbleSocket rw, - owner /{var/,}run/user/[0-9]*/MumbleOverlayPipe rw, + owner @{run}/user/[0-9]*/MumbleSocket rw, + owner @{run}/user/[0-9]*/MumbleOverlayPipe rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/networkctl b/apparmor.d/networkctl index b2572944..6f2221f2 100644 --- a/apparmor.d/networkctl +++ b/apparmor.d/networkctl @@ -34,8 +34,8 @@ profile networkctl @{exec_path} flags=(complain) { @{sys}/devices/**/net/**/uevent r, - /{var/,}run/systemd/netif/links/[0-9]* r, - /{var/,}run/systemd/netif/state r, + @{run}/systemd/netif/links/[0-9]* r, + @{run}/systemd/netif/state r, owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/random/boot_id r, @@ -43,7 +43,7 @@ profile networkctl @{exec_path} flags=(complain) { /etc/udev/hwdb.bin r, # To be able to read logs - /{var/,}run/log/ r, + @{run}/log/ r, /{run,var}/log/journal/ r, /{run,var}/log/journal/[0-9a-f]*/ r, /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r, diff --git a/apparmor.d/nvidia_modprobe b/apparmor.d/nvidia_modprobe index 01f714ca..2c29b997 100644 --- a/apparmor.d/nvidia_modprobe +++ b/apparmor.d/nvidia_modprobe @@ -22,11 +22,13 @@ profile nvidia_modprobe { # System files + /dev/nvidia-modeset w, /dev/nvidia-uvm w, /dev/nvidia-uvm-tools w, @{sys}/bus/pci/devices/ r, @{sys}/devices/pci[0-9]*/**/config r, @{PROC}/devices r, + @{PROC}/driver/nvidia/params r, @{PROC}/modules r, @{PROC}/sys/kernel/modprobe r, diff --git a/apparmor.d/openvpn b/apparmor.d/openvpn index 8445f413..22021a10 100644 --- a/apparmor.d/openvpn +++ b/apparmor.d/openvpn @@ -43,7 +43,7 @@ profile openvpn @{exec_path} { /var/log/openvpn/*.log w, - /{,var/}run/openvpn/*.{pid,status} rw, + @{run}/openvpn/*.{pid,status} rw, /{usr/,}bin/ip rix, /{usr/,}bin/systemd-ask-password rCx -> systemd-ask-password, diff --git a/apparmor.d/opera b/apparmor.d/opera index 2a6f3272..e1e4d3fe 100644 --- a/apparmor.d/opera +++ b/apparmor.d/opera @@ -149,7 +149,7 @@ profile opera @{exec_path} { @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - /{,var/}run/udev/data/* r, + @{run}/udev/data/* r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, diff --git a/apparmor.d/polkitd b/apparmor.d/polkitd index fda4ea12..44e85cb8 100644 --- a/apparmor.d/polkitd +++ b/apparmor.d/polkitd @@ -43,8 +43,8 @@ profile polkitd @{exec_path} { owner /var/lib/polkit-1/.cache/ rw, - /{,var/}run/systemd/sessions/* r, - /{,var/}run/systemd/users/[0-9]* r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/[0-9]* r, #include if exists } diff --git a/apparmor.d/ps b/apparmor.d/ps index 3567009c..049acd22 100644 --- a/apparmor.d/ps +++ b/apparmor.d/ps @@ -57,7 +57,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/tty/drivers r, @{PROC}/uptime r, - /{var/,}run/systemd/sessions/[0-9]* r, + @{run}/systemd/sessions/[0-9]* r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus index eb9a3cca..6fa65683 100644 --- a/apparmor.d/psi-plus +++ b/apparmor.d/psi-plus @@ -89,7 +89,7 @@ profile psi-plus @{exec_path} { owner /tmp/#[0-9]*[0-9] rw, owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9], - /{var/,}run/systemd/inhibit/[0-9]*.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/pulseaudio b/apparmor.d/pulseaudio index d6d07587..0f54a353 100644 --- a/apparmor.d/pulseaudio +++ b/apparmor.d/pulseaudio @@ -42,8 +42,8 @@ profile pulseaudio @{exec_path} { # TCP wrap /etc/hosts.{allow,deny} r, - owner /{,var/}run/user/[0-9]*/ rw, - owner /{,var/}run/user/[0-9]*/pulse/{,*} rw, + owner @{run}/user/[0-9]*/ rw, + owner @{run}/user/[0-9]*/pulse/{,*} rw, /usr/share/applications/{,**} r, @@ -51,14 +51,14 @@ profile pulseaudio @{exec_path} { @{sys}/class/ r, @{sys}/class/sound/ r, @{sys}/devices/**/sound/**/{uevent,pcm_class} r, - /{,var/}run/udev/data/+sound* r, - /{,var/}run/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/+sound* r, + @{run}/udev/data/c116:[0-9]* r, # For ALSA @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, - /{,var/}run/systemd/users/[0-9]* r, + @{run}/systemd/users/[0-9]* r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, @@ -68,7 +68,7 @@ profile pulseaudio @{exec_path} { # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. - owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + owner @{run}/user/[0-9]*/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss index a2ef6272..59ee8b5a 100644 --- a/apparmor.d/quiterss +++ b/apparmor.d/quiterss @@ -71,7 +71,7 @@ profile quiterss @{exec_path} { # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. - owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + owner @{run}/user/[0-9]*/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, diff --git a/apparmor.d/rsyslogd b/apparmor.d/rsyslogd index 83985d9d..ff37cc8b 100644 --- a/apparmor.d/rsyslogd +++ b/apparmor.d/rsyslogd @@ -44,8 +44,8 @@ profile rsyslogd @{exec_path} { /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, - owner /{,var/}run/rsyslogd.pid{,.tmp} rwk, - owner /{,var/}run/systemd/journal/syslog w, + owner @{run}/rsyslogd.pid{,.tmp} rwk, + owner @{run}/systemd/journal/syslog w, # log files and devices /var/log/** rw, diff --git a/apparmor.d/scdaemon b/apparmor.d/scdaemon index 3af56021..c73c96f3 100644 --- a/apparmor.d/scdaemon +++ b/apparmor.d/scdaemon @@ -21,12 +21,12 @@ profile scdaemon @{exec_path} { owner @{HOME}/.gnupg/scdaemon.conf r, - owner /{,var/}run/user/[0-9]*/gnupg/S.scdaemon rw, + owner @{run}/user/[0-9]*/gnupg/S.scdaemon rw, @{PROC}/@{pid}/task/@{tid}/comm rw, - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # /dev/bus/usb/ r, @{sys}/bus/ r, diff --git a/apparmor.d/sddm b/apparmor.d/sddm index a73f87e5..7015ad47 100644 --- a/apparmor.d/sddm +++ b/apparmor.d/sddm @@ -100,7 +100,7 @@ profile sddm @{exec_path} { owner @{HOME}/.local/share/kwalletd/ rw, owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw, @{HOME}/.local/share/kwalletd/kdewallet.salt r, - owner /{,var/}run/user/[0-9]*/kwallet5.socket rw, + owner @{run}/user/[0-9]*/kwallet5.socket rw, /var/log/btmp wk, # Themes @@ -135,8 +135,8 @@ profile sddm @{exec_path} { /tmp/sddm-* rw, owner /tmp/*/{,s} rw, - owner /{,var/}run/sddm/ rw, - /{,var/}run/sddm/* w, + owner @{run}/sddm/ rw, + @{run}/sddm/* w, # Session error logs # Creating the dir structure is needed when a new user is logging in for the very first time @@ -165,7 +165,7 @@ profile sddm @{exec_path} { # Run SDDM on a specific TTY /dev/tty[0-9]* rw, - /{,var/}run/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/[0-9]*.ref rw, profile sddm-scripts { @@ -201,10 +201,10 @@ profile sddm @{exec_path} { owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, - owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w, - owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c, - owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw, - owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n, + owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w, + owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c, + owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw, + owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n, } diff --git a/apparmor.d/sddm-greeter b/apparmor.d/sddm-greeter index 0278c3c9..53f020a7 100644 --- a/apparmor.d/sddm-greeter +++ b/apparmor.d/sddm-greeter @@ -92,7 +92,7 @@ profile sddm-greeter @{exec_path} { /usr/share/hwdata/pnp.ids r, - owner /{,var/}run/sddm/{,*} rw, + owner @{run}/sddm/{,*} rw, /{usr/,}lib/@{multiarch}/ld-*.so mr, diff --git a/apparmor.d/sddm-xsession b/apparmor.d/sddm-xsession index 306aa7d1..600400d2 100644 --- a/apparmor.d/sddm-xsession +++ b/apparmor.d/sddm-xsession @@ -136,7 +136,7 @@ profile sddm-xsession @{exec_path} { @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, } diff --git a/apparmor.d/ssh-agent b/apparmor.d/ssh-agent index 76880ae6..c56f93fc 100644 --- a/apparmor.d/ssh-agent +++ b/apparmor.d/ssh-agent @@ -30,7 +30,7 @@ profile ssh-agent @{exec_path} { /{usr/,}bin/enlightenment_start rPUx, # When started via systemd - /{var/,}run/user/[0-9]*/openssh_agent rw, + @{run}/user/[0-9]*/openssh_agent rw, # askpass apps #/{usr/,}lib/ssh/x11-ssh-askpass rPUx, diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index 3c4e5b79..a7f855a5 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -76,7 +76,7 @@ profile strawberry @{exec_path} { owner @{PROC}/@{pid}/fd/ r, deny @{PROC}/sys/kernel/random/boot_id r, - /{var/,}run/mount/utab r, + @{run}/mount/utab r, /etc/fstab r, @@ -89,7 +89,7 @@ profile strawberry @{exec_path} { # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. - owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + owner @{run}/user/[0-9]*/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, diff --git a/apparmor.d/sudo b/apparmor.d/sudo index aed01a45..a0032884 100644 --- a/apparmor.d/sudo +++ b/apparmor.d/sudo @@ -52,9 +52,9 @@ profile sudo @{exec_path} { /dev/ r, # For timestampdir - owner /{var/,}run/sudo/ rw, - owner /{var/,}run/sudo/ts/ rw, - owner /{var/,}run/sudo/ts/* rwk, + owner @{run}/sudo/ rw, + owner @{run}/sudo/ts/ rw, + owner @{run}/sudo/ts/* rwk, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/synaptic b/apparmor.d/synaptic index 3d2935d6..3f3c4873 100644 --- a/apparmor.d/synaptic +++ b/apparmor.d/synaptic @@ -142,7 +142,7 @@ profile synaptic @{exec_path} { /usr/share/synaptic/{,**} r, owner @{HOME}/.synaptic/ rw, owner @{HOME}/.synaptic/** rwk, - /{var/,}run/synaptic.socket w, + @{run}/synaptic.socket w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/systemd-analyze b/apparmor.d/systemd-analyze index 31ceaf46..73e5e91c 100644 --- a/apparmor.d/systemd-analyze +++ b/apparmor.d/systemd-analyze @@ -46,11 +46,11 @@ profile systemd-analyze @{exec_path} { @{sys}/module/**/uevent r, @{sys}/devices/**/uevent r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, - /{var/,}run/udev/tags/systemd/ r, - /{var/,}run/systemd/system/ r, - /{var/,}run/systemd/userdb/io.systemd.DynamicUser w, + @{run}/udev/tags/systemd/ r, + @{run}/systemd/system/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser w, owner /tmp/systemd-temporary-*/ rw, diff --git a/apparmor.d/systemd-fsck b/apparmor.d/systemd-fsck index a95f88f0..ac59ec6a 100644 --- a/apparmor.d/systemd-fsck +++ b/apparmor.d/systemd-fsck @@ -28,7 +28,7 @@ profile systemd-fsck @{exec_path} flags=(complain) { /{usr/,}sbin/fsck rPx, /{usr/,}sbin/e2fsck rPx, - owner /{var/,}run/systemd/quotacheck w, + owner @{run}/systemd/quotacheck w, #include if exists } diff --git a/apparmor.d/systemd-fsckd b/apparmor.d/systemd-fsckd index 7fd5c097..fc799f97 100644 --- a/apparmor.d/systemd-fsckd +++ b/apparmor.d/systemd-fsckd @@ -24,7 +24,7 @@ profile systemd-fsckd @{exec_path} flags=(complain) { @{exec_path} mr, - owner /{var/,}run/systemd/fsck.progress w, + owner @{run}/systemd/fsck.progress w, #include if exists } diff --git a/apparmor.d/systemd-journald b/apparmor.d/systemd-journald index b72a9a54..30a303bc 100644 --- a/apparmor.d/systemd-journald +++ b/apparmor.d/systemd-journald @@ -27,7 +27,7 @@ profile systemd-journald @{exec_path} { /etc/systemd/journald.conf r, - /{var/,}run/log/ rw, + @{run}/log/ rw, /{run,var}/log/journal/ rw, /{run,var}/log/journal/[0-9a-f]*/ rw, /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, @@ -35,20 +35,20 @@ profile systemd-journald @{exec_path} { /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, /{run,var}/log/journal/[0-9a-f]*/fss rw, - owner /{var/,}run/systemd/journal/{,**} rw, - owner /{var/,}run/systemd/notify rw, + owner @{run}/systemd/journal/{,**} rw, + owner @{run}/systemd/notify rw, - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/c10:224 r, # for /dev/tpm0 - /{var/,}run/udev/data/+usb:* r, - /{var/,}run/udev/data/+pci:* r, - /{var/,}run/udev/data/+hid:* r, - /{var/,}run/udev/data/+acpi:* r, - /{var/,}run/udev/data/+scsi:* r, - /{var/,}run/udev/data/+bluetooth:* r, - /{var/,}run/udev/data/+usb-serial:* r, - /{var/,}run/udev/data/+platform:regulatory.[0-9]* r, - /{var/,}run/udev/data/+platform:simple-framebuffer.[0-9]* r, + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c10:224 r, # for /dev/tpm0 + @{run}/udev/data/+usb:* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+hid:* r, + @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+usb-serial:* r, + @{run}/udev/data/+platform:regulatory.[0-9]* r, + @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, diff --git a/apparmor.d/systemd-networkd b/apparmor.d/systemd-networkd index 77397578..7e70e252 100644 --- a/apparmor.d/systemd-networkd +++ b/apparmor.d/systemd-networkd @@ -28,13 +28,13 @@ profile systemd-networkd @{exec_path} flags=(complain) { /etc/systemd/network/ r, /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r, - owner /{var/,}run/systemd/netif/links/.#* rw, - owner /{var/,}run/systemd/netif/links/[0-9]* rw, - owner /{var/,}run/systemd/netif/leases/[0-9]* rw, - owner /{var/,}run/systemd/netif/leases/.#* rw, - owner /{var/,}run/systemd/netif/.#state* rw, - owner /{var/,}run/systemd/netif/.#state rw, - owner /{var/,}run/systemd/netif/state rw, + owner @{run}/systemd/netif/links/.#* rw, + owner @{run}/systemd/netif/links/[0-9]* rw, + owner @{run}/systemd/netif/leases/[0-9]* rw, + owner @{run}/systemd/netif/leases/.#* rw, + owner @{run}/systemd/netif/.#state* rw, + owner @{run}/systemd/netif/.#state rw, + owner @{run}/systemd/netif/state rw, # To be able to configure network interfaces @{PROC}/sys/net/ipv{4,6}/** rw, @@ -44,7 +44,7 @@ profile systemd-networkd @{exec_path} flags=(complain) { @{sys}/devices/**/net/** r, - /{var/,}run/udev/data/n[0-9]* r, + @{run}/udev/data/n[0-9]* r, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/systemd-networkd-wait-online b/apparmor.d/systemd-networkd-wait-online index 6dd167f8..7ab4c7aa 100644 --- a/apparmor.d/systemd-networkd-wait-online +++ b/apparmor.d/systemd-networkd-wait-online @@ -20,7 +20,7 @@ profile systemd-networkd-wait-online @{exec_path} flags=(complain) { @{exec_path} mr, - /{var/,}run/systemd/netif/links/[0-9]* r, + @{run}/systemd/netif/links/[0-9]* r, #include if exists } diff --git a/apparmor.d/systemd-rfkill b/apparmor.d/systemd-rfkill index 5b0ff3a6..c27e7ca2 100644 --- a/apparmor.d/systemd-rfkill +++ b/apparmor.d/systemd-rfkill @@ -28,9 +28,9 @@ profile systemd-rfkill @{exec_path} { /var/lib/systemd/rfkill/* rw, - /{var/,}run/systemd/notify rw, + @{run}/systemd/notify rw, - /{var/,}run/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, #include if exists } diff --git a/apparmor.d/systemd-timesyncd b/apparmor.d/systemd-timesyncd index e6e8bc2e..a9af280c 100644 --- a/apparmor.d/systemd-timesyncd +++ b/apparmor.d/systemd-timesyncd @@ -27,8 +27,8 @@ profile systemd-timesyncd @{exec_path} { owner /var/lib/systemd/timesync/clock rw, - owner /{var/,}run/systemd/timesync/synchronized rw, - /{var/,}run/systemd/netif/state r, + owner @{run}/systemd/timesync/synchronized rw, + @{run}/systemd/netif/state r, #include if exists } diff --git a/apparmor.d/thinkfan b/apparmor.d/thinkfan index 4c094ec6..fe22079b 100644 --- a/apparmor.d/thinkfan +++ b/apparmor.d/thinkfan @@ -28,7 +28,7 @@ profile thinkfan @{exec_path} { @{PROC}/acpi/ibm/thermal r, @{PROC}/acpi/ibm/fan rw, - owner /{var/,}run/thinkfan.pid rw, + owner @{run}/thinkfan.pid rw, #include if exists } diff --git a/apparmor.d/tunables/global b/apparmor.d/tunables/global index 28d6fc6d..3b6f99cc 100644 --- a/apparmor.d/tunables/global +++ b/apparmor.d/tunables/global @@ -19,3 +19,4 @@ #include #include #include +#include diff --git a/apparmor.d/tunables/run b/apparmor.d/tunables/run new file mode 100644 index 00000000..5b81925e --- /dev/null +++ b/apparmor.d/tunables/run @@ -0,0 +1 @@ +@{run}=/run/ /var/run/ diff --git a/apparmor.d/tune2fs b/apparmor.d/tune2fs index e69817d6..9646466a 100644 --- a/apparmor.d/tune2fs +++ b/apparmor.d/tune2fs @@ -26,8 +26,8 @@ profile tune2fs @{exec_path} { /.ismount-test-file rw, - owner /{,var/}run/blkid/blkid.tab{,-*} rw, - owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab, + owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # Image files @{HOME}/** rw, diff --git a/apparmor.d/ucf b/apparmor.d/ucf index 8649dff2..804e1e1c 100644 --- a/apparmor.d/ucf +++ b/apparmor.d/ucf @@ -60,7 +60,7 @@ profile ucf @{exec_path} flags=(complain) { # For md5sum /etc/** r, /usr/share/*/conffiles/* r, - /{var/,}run/* r, + @{run}/* r, # For writing new config files /etc/** rw, diff --git a/apparmor.d/udevadm b/apparmor.d/udevadm index 3ac87a3e..2c9bbf72 100644 --- a/apparmor.d/udevadm +++ b/apparmor.d/udevadm @@ -65,10 +65,10 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) { /etc/systemd/network/ r, /etc/systemd/network/[0-9][0-9]-*.link r, - /{var/,}run/udev/ rw, - /{var/,}run/udev/** rw, + @{run}/udev/ rw, + @{run}/udev/** rw, - /{var/,}run/systemd/seats/seat[0-9]* r, + @{run}/systemd/seats/seat[0-9]* r, @{sys}/** rw, diff --git a/apparmor.d/udisksd b/apparmor.d/udisksd index 753bd64f..487e029c 100644 --- a/apparmor.d/udisksd +++ b/apparmor.d/udisksd @@ -101,8 +101,8 @@ profile udisksd @{exec_path} { /etc/crypttab r, # To be able to operate on encryted devices - /{var/,}run/cryptsetup/ r, - /{var/,}run/cryptsetup/L* rwk, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/L* rwk, @{sys}/fs/ r, @{sys}/bus/ r, @@ -115,19 +115,19 @@ profile udisksd @{exec_path} { @{sys}/devices/virtual/bdi/**/read_ahead_kb r, - /{var/,}run/ r, + @{run}/ r, # Info on mounted devices - /{var/,}run/mount/utab{,.*} rw, - /{var/,}run/mount/utab.lock rwk, + @{run}/mount/utab{,.*} rw, + @{run}/mount/utab.lock rwk, /var/lib/udisks2/mounted-fs{,*} rw, - /{var/,}run/udisks2/ rw, - /{var/,}run/udisks2/loop{,.*} rw, - /{var/,}run/udisks2/unlocked-luks{,.*} rw, - /{var/,}run/udisks2/mounted-fs{,.*} rw, + @{run}/udisks2/ rw, + @{run}/udisks2/loop{,.*} rw, + @{run}/udisks2/unlocked-luks{,.*} rw, + @{run}/udisks2/mounted-fs{,.*} rw, - /{var/,}run/systemd/seats/seat[0-9]* r, + @{run}/systemd/seats/seat[0-9]* r, profile systemd-escape { diff --git a/apparmor.d/umount b/apparmor.d/umount index 84ac2f9a..b55a082c 100644 --- a/apparmor.d/umount +++ b/apparmor.d/umount @@ -44,9 +44,9 @@ profile umount @{exec_path} flags=(complain) { @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, - owner /{,var/}run/mount/ rw, - owner /{,var/}run/mount/utab{,.*} rw, - owner /{,var/}run/mount/utab.lock wk, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rw, + owner @{run}/mount/utab.lock wk, #include if exists } diff --git a/apparmor.d/updatedb-mlocate b/apparmor.d/updatedb-mlocate index 83e29fef..b7e1aca6 100644 --- a/apparmor.d/updatedb-mlocate +++ b/apparmor.d/updatedb-mlocate @@ -56,7 +56,7 @@ profile updatedb-mlocate @{exec_path} { deny /lost+found/ r, deny /mnt/ r, - /{var/,}run/mlocate.daily.lock r, + @{run}/mlocate.daily.lock r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/upowerd b/apparmor.d/upowerd index 570dafde..68688aed 100644 --- a/apparmor.d/upowerd +++ b/apparmor.d/upowerd @@ -48,15 +48,15 @@ profile upowerd @{exec_path} { @{sys}/devices/platform/**/leds/**/brightness rw, @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, - /{,var/}run/udev/data/ r, - /{,var/}run/udev/data/+power_supply* r, - /{,var/}run/udev/data/+input* r, - /{,var/}run/udev/data/+usb* r, - /{,var/}run/udev/data/+hid* r, - /{,var/}run/udev/data/c13:[0-9]* r, # for /dev/input/* - /{,var/}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/ r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+input* r, + @{run}/udev/data/+usb* r, + @{run}/udev/data/+hid* r, + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{,var/}run/systemd/inhibit/[0-9]*.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, #include if exists } diff --git a/apparmor.d/usbguard-applet-qt b/apparmor.d/usbguard-applet-qt index 916df51e..bfc0a709 100644 --- a/apparmor.d/usbguard-applet-qt +++ b/apparmor.d/usbguard-applet-qt @@ -39,7 +39,7 @@ profile usbguard-applet-qt @{exec_path} { /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw, /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, - owner /{,var/}run/user/[0-9]*/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw, + owner @{run}/user/[0-9]*/sni-qt_usbguard-applet-qt_[0-9]*-[a-zA-Z0-9]*/{,**} rw, owner @{PROC}/@{pid}/cmdline r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/usbguard-daemon b/apparmor.d/usbguard-daemon index 072faa16..67554cde 100644 --- a/apparmor.d/usbguard-daemon +++ b/apparmor.d/usbguard-daemon @@ -27,7 +27,7 @@ profile usbguard-daemon @{exec_path} { /etc/usbguard/*.conf rw, /etc/usbguard/IPCAccessControl.d/{,*} r, - owner /{,var/}run/usbguard.pid rwk, + owner @{run}/usbguard.pid rwk, /var/log/usbguard/usbguard-audit.log rw, diff --git a/apparmor.d/usr.bin.irssi b/apparmor.d/usr.bin.irssi index b310e976..9ba8e1c0 100644 --- a/apparmor.d/usr.bin.irssi +++ b/apparmor.d/usr.bin.irssi @@ -2,7 +2,7 @@ # For use with irssi within screen #include -profile irssi /usr/bin/irssi flags=(complain) { +/usr/bin/irssi flags=(complain) { #include #include #include @@ -20,7 +20,7 @@ profile irssi /usr/bin/irssi flags=(complain) { #include /usr/bin/screen ix, owner /{,var/}run/screen/** r, - owner /{,var/}run/screen/S-[a-zA-Z0-9]*/[0-9]*[0-9] w, + owner /{,var/}run/screen/S-[a-zA-Z0-9]*/[0-9]* w, @{PROC}/[0-9]*/stat r, # for /uptime @@ -41,9 +41,10 @@ profile irssi /usr/bin/irssi flags=(complain) { owner @{HOME}/.irssi/*.theme wk, # http://www.irssi.org/documentation/startup states that ~/irclogs is the - # default location for logs. - owner @{HOME}/irclogs/ r, - owner @{HOME}/irclogs/** rwk, + # default location for logs. Also allow the common configuration of logging + # inside the .irssi directory. + owner @{HOME}/{.irssi/,}irclogs/ r, + owner @{HOME}/{.irssi/,}irclogs/** rwk, # for fnotify owner @{HOME}/.irssi/fnotify rwk, diff --git a/apparmor.d/usr.bin.pidgin b/apparmor.d/usr.bin.pidgin index c3ce8e14..5e187020 100644 --- a/apparmor.d/usr.bin.pidgin +++ b/apparmor.d/usr.bin.pidgin @@ -65,8 +65,6 @@ /etc/purple/prefs.xml r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/lib/frei0r-1/*.so rm, /usr/lib/@{multiarch}/libvisual-*/**.so rm, /usr/lib/pidgin/*.so rm, diff --git a/apparmor.d/usr.bin.totem b/apparmor.d/usr.bin.totem index 3b7913b1..1176965e 100644 --- a/apparmor.d/usr.bin.totem +++ b/apparmor.d/usr.bin.totem @@ -26,6 +26,11 @@ # Help browser /usr/bin/yelp Cx -> sanitized_helper, + # GDesktopAppInfo in GLib 2.64.x uses a very small shell script + # to launch .desktop files, instead of gio-launch-desktop + /{usr/,}bin/{dash,bash} ixr, + # With older GLib we might still be on the fallback code path + # (remove this after Debian 11 and Ubuntu 20.04) /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix, # Quiet logs diff --git a/apparmor.d/usr.sbin.apt-cacher-ng b/apparmor.d/usr.sbin.apt-cacher-ng index 7d117735..8a5e854e 100644 --- a/apparmor.d/usr.sbin.apt-cacher-ng +++ b/apparmor.d/usr.sbin.apt-cacher-ng @@ -7,11 +7,13 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng { #include #include + #include #include /etc/apt-cacher-ng/ r, /etc/apt-cacher-ng/** r, /etc/hosts.{deny,allow} r, + /usr/sbin/apt-cacher-ng mr, /var/lib/apt-cacher-ng/** r, /{,var/}run/apt-cacher-ng/* rw, diff --git a/apparmor.d/usr.sbin.dnsmasq b/apparmor.d/usr.sbin.dnsmasq index 0e22eba8..88f09913 100644 --- a/apparmor.d/usr.sbin.dnsmasq +++ b/apparmor.d/usr.sbin.dnsmasq @@ -42,7 +42,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { owner /dev/tty rw, - owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fd/ r, /etc/dnsmasq.conf r, /etc/dnsmasq.d/ r, @@ -59,8 +59,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /var/log/dnsmasq*.log w, - /usr/share/dnsmasq/ r, - /usr/share/dnsmasq/* r, + /usr/share/dnsmasq{-base,}/ r, + /usr/share/dnsmasq{-base,}/* r, /{,var/}run/*dnsmasq*.pid w, /{,var/}run/dnsmasq-forwarders.conf r, @@ -89,6 +89,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { # libvirt lease helper /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper, + /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper, # lxc-net pid and lease files /{,var/}run/lxc/dnsmasq.pid rw, @@ -116,6 +117,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /etc/libnl-3/classid r, /usr/lib{,64}/libvirt/libvirt_leaseshelper m, + /usr/libexec/libvirt_leaseshelper m, owner @{PROC}/@{pid}/net/psched r, owner @{PROC}/@{pid}/status r, diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager index 083a29fd..9b1c1e60 100644 --- a/apparmor.d/virt-manager +++ b/apparmor.d/virt-manager @@ -96,16 +96,16 @@ profile virt-manager @{exec_path} flags=(complain) { @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{busnum,devnum,speed,descriptors} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/uevent r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{busnum,devnum,speed,descriptors} r, - /{var/,}run/udev/data/+usb:* r, - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** r, @{sys}/devices/pci[0-9]*/**/drm/ r, /etc/fstab r, - /{var/,}run/mount/utab r, + @{run}/mount/utab r, - owner /{var/,}run/user/[0-9]*/libvirt/libvirtd.lock rwk, + owner @{run}/user/[0-9]*/libvirt/libvirtd.lock rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, @@ -119,7 +119,7 @@ profile virt-manager @{exec_path} flags=(complain) { # The orcexec.* file is JIT compiled code for various GStreamer elements. # If one is blocked the next is used instead. - owner /{var/,}run/user/[0-9]*/orcexec.* mrw, + owner @{run}/user/[0-9]*/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, #owner /tmp/orcexec.* mrw, diff --git a/apparmor.d/vlc b/apparmor.d/vlc index 27c7625c..4a9cfa14 100644 --- a/apparmor.d/vlc +++ b/apparmor.d/vlc @@ -126,12 +126,12 @@ profile vlc @{exec_path} { @{sys}/class/**/ r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,speed} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - /{var/,}run/udev/data/b254:[0-9]* r, # for /dev/zram* - /{var/,}run/udev/data/b253:[0-9]* r, # for /dev/dm* - /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd* - /{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop* - /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{var/,}run/udev/data/+usb:* r, # for ? + @{run}/udev/data/b254:[0-9]* r, # for /dev/zram* + @{run}/udev/data/b253:[0-9]* r, # for /dev/dm* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # for ? /dev/ r, /dev/bus/usb/ r, diff --git a/apparmor.d/wpa-gui b/apparmor.d/wpa-gui index 0d29ba28..b7662a8a 100644 --- a/apparmor.d/wpa-gui +++ b/apparmor.d/wpa-gui @@ -30,7 +30,7 @@ profile wpa-gui @{exec_path} { owner /tmp/wpa_ctrl_@{pid}-[0-9] w, - /{var/,}run/wpa_supplicant/ r, + @{run}/wpa_supplicant/ r, /dev/shm/#[0-9]*[0-9] rw, diff --git a/apparmor.d/wpa-supplicant b/apparmor.d/wpa-supplicant index 2f388293..37cec03f 100644 --- a/apparmor.d/wpa-supplicant +++ b/apparmor.d/wpa-supplicant @@ -37,9 +37,9 @@ profile wpa-supplicant @{exec_path} { @{exec_path} mr, - owner /{,var/}run/wpa_supplicant/ rw, - owner /{,var/}run/wpa_supplicant/wlan* rw, - owner /{,var/}run/wpa_supplicant.wlan*.pid rw, + owner @{run}/wpa_supplicant/ rw, + owner @{run}/wpa_supplicant/wlan* rw, + owner @{run}/wpa_supplicant.wlan*.pid rw, /etc/wpa_supplicant/wpa_supplicant.conf r, diff --git a/apparmor.d/wpa_cli b/apparmor.d/wpa_cli index 0b2fc223..a9fadcfb 100644 --- a/apparmor.d/wpa_cli +++ b/apparmor.d/wpa_cli @@ -19,7 +19,7 @@ profile wpa_cli @{exec_path} { @{exec_path} mr, - owner /{,var/}run/wpa_supplicant/ r, + owner @{run}/wpa_supplicant/ r, owner /tmp/wpa_ctrl_@{pid}-[0-9] rw, # for interactive mode diff --git a/apparmor.d/x11-xsession b/apparmor.d/x11-xsession index 817a6aee..17f8eeb1 100644 --- a/apparmor.d/x11-xsession +++ b/apparmor.d/x11-xsession @@ -124,7 +124,7 @@ profile x11-xsession @{exec_path} { @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, } diff --git a/apparmor.d/xinit b/apparmor.d/xinit index 85060732..edff27c3 100644 --- a/apparmor.d/xinit +++ b/apparmor.d/xinit @@ -128,7 +128,7 @@ profile xinit @{exec_path} { @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, - /{var/,}run/udev/data/* r, + @{run}/udev/data/* r, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/xorg b/apparmor.d/xorg index 2beb297e..ec6f669e 100644 --- a/apparmor.d/xorg +++ b/apparmor.d/xorg @@ -114,10 +114,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner /dev/tty[0-9]* rw, # Needed for SDDM display manager - /{,var/}run/sddm/{,**} rw, + @{run}/sddm/{,**} rw, # Needed for LightDM display manager - /{,var/}run/lightdm/{,**} rw, + @{run}/lightdm/{,**} rw, /var/log/lightdm/x-*.log* rw, @{sys}/bus/ r, @@ -128,20 +128,20 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/ r, @{sys}/devices/pci[0-9]*/**/boot_vga r, - /{,var/}run/udev/data/+input* r, # for mouse, keyboard, touchpad - /{,var/}run/udev/data/+platform* r, # for ? - /{,var/}run/udev/data/+drm:card[0-9]-* r, # for screen outputs - #/{,var/}run/udev/data/+dmi* r, # for ? - /{,var/}run/udev/data/+acpi* r, # for ? - /{,var/}run/udev/data/+hid* r, # for HID-Compliant Keyboard - /{,var/}run/udev/data/+pci* r, # for VGA compatible controller - /{,var/}run/udev/data/+usb* r, # for USB mouse and keyboard - /{,var/}run/udev/data/+serio* r, # for touchpad? - /{,var/}run/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* - /{,var/}run/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx - /{,var/}run/udev/data/c13:[0-9]* r, # for /dev/input/* - /{,var/}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - /{,var/}run/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+platform* r, # for ? + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + #@{run}/udev/data/+dmi* r, # for ? + @{run}/udev/data/+acpi* r, # for ? + @{run}/udev/data/+hid* r, # for HID-Compliant Keyboard + @{run}/udev/data/+pci* r, # for VGA compatible controller + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+serio* r, # for touchpad? + @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{PROC}/@{pids}/cmdline r, @{PROC}/cmdline r,