diff --git a/README.md b/README.md index 3a62d5f0..33fa7a33 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,8 @@ * OpenSUSE Tumbleweed - Support major desktop environments: * Gnome - * KDE *(work in progress)* + * KDE + * XFCE *(work in progress)* - Fully tested (Work in progress) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4ab629d7..b33ba0b4 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -19,7 +19,7 @@ /tmp/.ICE-unix/* rw, /tmp/.X@{int}-lock rw, /tmp/.X11-unix/* rw, - owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int}, + owner @{tmp}/xauth_@{rand6} rl -> /tmp/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 4af0396c..c3584901 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -46,6 +46,7 @@ ptrace (read) peer=gnome-browser-connector-host, ptrace (read) peer=keepassxc-proxy, ptrace (read) peer=lsb_release, + ptrace (read) peer=plasma-browser-integration-host, ptrace (read) peer=xdg-settings, ptrace (trace) peer=@{profile_name}, @@ -109,6 +110,7 @@ /etc/@{name}/{,**} r, /etc/fstab r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, # Debian ubication /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -150,22 +152,22 @@ /tmp/ r, /var/tmp/ r, - owner /tmp/.@{domain}.* rw, - owner /tmp/.@{domain}*/{,**} rw, - owner /tmp/@{name}-crashlog-@{int}-@{int}.txt rw, - owner /tmp/scoped_dir*/{,**} rw, - owner /tmp/tmp.* rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, + owner @{tmp}/.@{domain}.* rw, + owner @{tmp}/.@{domain}*/{,**} rw, + owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, + owner @{tmp}/scoped_dir*/{,**} rw, + owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/** rwk, + + owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, /dev/shm/ r, owner /dev/shm/.@{domain}* rw, @{run}/udev/data/c13:@{int} r, # for /dev/input/* - owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - @{sys}/bus/ r, @{sys}/bus/**/devices/ r, @{sys}/class/**/ r, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index e791caea..49b742b0 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -39,6 +39,7 @@ @{etc_ro}/sudoers.d/{,*} r, / r, + /etc/machine-id r, owner /var/lib/sudo/ts/ rw, owner /var/lib/sudo/ts/@{uid} rwk, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 6ecb0e31..de6c758b 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -1,8 +1,10 @@ + @{bin}/pam-tmpdir-helper rPx, + + #aa:exclude ubuntu @{bin}/unix_chkpwd rPx, #aa:only whonix - @{bin}/pam-tmpdir-helper rPx, @{lib}/security-misc/pam_faillock_not_if_x rPx, @{lib}/security-misc/pam-abort-on-locked-password rPx, @{lib}/security-misc/pam-info rPx, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 7507dee5..f8d6ba37 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -19,8 +19,8 @@ /etc/machine-id r, /var/lib/dbus/machine-id r, - owner /tmp/dbus-@{rand8} rw, - owner /tmp/dbus-@{rand10} rw, + owner @{tmp}/dbus-@{rand8} rw, + owner @{tmp}/dbus-@{rand10} rw, owner @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index a4008970..9a0fdf9f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -14,17 +14,17 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadRealtime,MakeThreadHighPriority} + member=MakeThread* peer=(name=:*, label=rtkit-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadRealtime,MakeThreadHighPriority} + member=MakeThread* peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member=MakeThreadRealtimeWithPID + member=MakeThread* peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), include if exists diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a1180f97..965f7146 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -53,7 +53,7 @@ owner @{user_share_dirs}/** rwkl, owner @{user_games_dirs}/{,**} rm, - owner /tmp/** rmwk, + owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, @{run}/cups/cups.sock rw, # Allow access to cups printing socket. diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index bfded36b..baa14757 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -25,8 +25,7 @@ /var/lib/dpkg/status r, /var/lib/ubuntu-advantage/apt-esm/{,**} r, - owner /tmp/#@{int} rw, - owner /tmp/clearsigned.message.* rw, - owner /tmp/user/@{uid}/#@{int} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/clearsigned.message.* rw, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f2e76bcd..858acb47 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -37,8 +37,8 @@ owner / r, owner /newroot/{,**} w, - owner /tmp/newroot/ w, - owner /tmp/oldroot/ w, + owner @{tmp}/newroot/ w, + owner @{tmp}/oldroot/ w, @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 27edc85f..1fc1d155 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -24,12 +24,12 @@ /tmp/ r, /var/tmp/ r, - owner /tmp/.org.chromium.Chromium.* rw, - owner /tmp/.org.chromium.Chromium.*/{,**} rw, - owner /tmp/scoped_dir*/ rw, - owner /tmp/scoped_dir*/SingletonCookie w, - owner /tmp/scoped_dir*/SingletonSocket w, - owner /tmp/scoped_dir*/SS w, + owner @{tmp}/.org.chromium.Chromium.* rw, + owner @{tmp}/.org.chromium.Chromium.*/{,**} rw, + owner @{tmp}/scoped_dir*/ rw, + owner @{tmp}/scoped_dir*/SingletonCookie w, + owner @{tmp}/scoped_dir*/SingletonSocket w, + owner @{tmp}/scoped_dir*/SS w, /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 3862765b..c8541282 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -50,14 +50,14 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner /tmp/.org.chromium.Chromium.@{rand6} rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/ rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner /tmp/scoped_dir@{rand6}/ rw, - owner /tmp/scoped_dir@{rand6}/SingletonCookie w, - owner /tmp/scoped_dir@{rand6}/SingletonSocket w, - owner /tmp/scoped_dir@{rand6}/SS w, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/ rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish new file mode 100644 index 00000000..c5ed229c --- /dev/null +++ b/apparmor.d/abstractions/fish @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction is only required when an interactive shell is started. +# Classic shell scripts do not need it. + + /usr/share/fish/{,**} r, + + /etc/fish/{,**} r, + + owner @{user_config_dirs}/fish/{,**} r, + + include if exists diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index c9f714ac..7313fbca 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -10,6 +10,9 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/ r, + /usr/share/mime/ r, /etc/gnome/defaults.list r, diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index 23c447dc..5583f599 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -6,6 +6,7 @@ # Classic shell scripts do not need it. include + include include include if exists diff --git a/apparmor.d/abstractions/video.d/complete b/apparmor.d/abstractions/video.d/complete index 0f43431a..4b8a0d2e 100644 --- a/apparmor.d/abstractions/video.d/complete +++ b/apparmor.d/abstractions/video.d/complete @@ -3,3 +3,6 @@ # SPDX-License-Identifier: GPL-2.0-only @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + + # Access to video /dev devices + /dev/video@{int} rw, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 78afea1e..70d5711d 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -15,6 +15,7 @@ /etc/vulkan/implicit_layer.d/{,*.json} r, owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, + owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache @{sys}/class/ r, @{sys}/class/drm/ r, @@ -23,4 +24,5 @@ @{sys}/devices/@{pci}/drm/card@{int}/metrics/ r, @{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r, - include if exists \ No newline at end of file + include if exists + diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index a92304d1..0b6b72f1 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -72,7 +72,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/{,**} rw, owner @{user_config_dirs}/** rwkl, owner @{user_share_dirs}/** rwkl, - owner /tmp/{,**} rwk, + owner @{tmp}/{,**} rwk, owner @{run}/user/@{uid}/{,**} rw, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 53a6fc02..80594c6b 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -49,8 +49,8 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/kwinrc r, - owner /tmp/#@{int} rw, - owner /tmp/akonadi_mailfilter_agent.* rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/akonadi_mailfilter_agent.* rwl, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index bcc0cf92..f252e634 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -20,17 +20,12 @@ profile calibre @{exec_path} { include include include + include include include - include - include - include - include + include include - include - include include - include include include include @@ -66,7 +61,6 @@ profile calibre @{exec_path} { @{bin}/xdg-mime rPx, /usr/share/calibre/{,**} r, - /usr/share/hwdata/pnp.ids r, /etc/fstab r, /etc/inputrc r, @@ -95,12 +89,10 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/gstreamer-@{int}/ rw, owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, - owner /tmp/calibre_*_tmp_*/{,**} rw, - owner /tmp/calibre-*/{,**} rw, - owner /tmp/@{int}-*/ rw, - owner /tmp/@{int}-*/** rwl, -# owner /tmp/@{int}-*/** rwl -> /tmp/@{int}-*/**, # newer AA version - owner /tmp/* rw, + owner @{tmp}/calibre_*_tmp_*/{,**} rw, + owner @{tmp}/calibre-*/{,**} rw, + owner @{tmp}/@{int}-*/ rw, + owner @{tmp}/@{int}-*/** rwl, owner /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index e7eda5c3..c703ff35 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -34,9 +34,9 @@ profile discord @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - owner /tmp/net-export/ rw, - owner /tmp/discord.sock rw, - owner "/tmp/Discord Crashes/" rw, + owner @{tmp}/net-export/ rw, + owner @{tmp}/discord.sock rw, + owner "@{tmp}/Discord Crashes/" rw, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 9853bd50..c960e62f 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -60,11 +60,11 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}objdump rix, # Needed for updating Dropbox - owner /tmp/.dropbox-dist-new-*/{,**} rw, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw, + owner @{tmp}/.dropbox-dist-new-*/{,**} rw, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw, owner @{HOME}/.dropbox-dist-old*/{,**} rw, owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw, @@ -105,9 +105,9 @@ profile dropbox @{exec_path} { @{PROC}/vmstat r, # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead - owner /tmp/dropbox-antifreeze-* rw, - owner /tmp/[a-zA-z0-9]* rw, - owner /tmp/#@{int} rw, + owner @{tmp}/dropbox-antifreeze-* rw, + owner @{tmp}/[a-zA-z0-9]* rw, + owner @{tmp}/#@{int} rw, owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index 20f90561..cc099ce4 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -49,9 +49,9 @@ profile filezilla @{exec_path} { # Creating new files on FTP /tmp/ r, - owner /tmp/fz[0-9]temp-@{int}/ rw, - owner /tmp/fz[0-9]temp-@{int}/fz*-lockfile rwk, - owner /tmp/fz[0-9]temp-@{int}/empty_file_* rw, + owner @{tmp}/fz[0-9]temp-@{int}/ rw, + owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk, + owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw, # External apps @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index d55481cf..4e7971cd 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -10,20 +10,15 @@ include @{exec_path} = @{bin}/flameshot profile flameshot @{exec_path} { include - include - include - include + include include - include - include - include - include + include + include include include + include include include - include - include network inet dgram, network inet6 dgram, @@ -36,58 +31,24 @@ profile flameshot @{exec_path} { @{bin}/whoami rix, - @{bin}/xdg-open rCx -> open, - - # Flameshot home files - owner @{user_config_dirs}/flameshot/ rw, - owner @{user_config_dirs}/flameshot/flameshot.ini rw, - owner @{user_config_dirs}/flameshot/#@{int} rw, - owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#@{int}, - owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk, + @{open_path} rPx -> child-open-help, /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/flameshot/ rw, + owner @{user_config_dirs}/flameshot/** rwlk -> @{user_config_dirs}/flameshot/**, - owner /tmp/.*/{,s} rw, - owner /tmp/*= rw, - owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner @{tmp}/.*/{,s} rw, + owner @{tmp}/*= rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner /dev/shm/#@{int} rw, - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /dev/shm/#@{int} rw, - - # file_inherit - owner /dev/tty@{int} rw, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index d2969426..add8fa0d 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -7,28 +7,19 @@ abi , include -@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram - @{exec_path} = @{bin}/telegram-desktop profile telegram-desktop @{exec_path} { include - include - include - include - include - include - include - include include - include - include + include + include + include + include + include include include include - include - include - include - include + include network inet dgram, network inet6 dgram, @@ -41,80 +32,26 @@ profile telegram-desktop @{exec_path} { @{sh_path} rix, - # Launch external apps - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, - # What's this for? - deny @{bin}/fc-list rx, - - # Telegram files /usr/share/TelegramDesktop/{,**} r, - # Download dir - owner @{TELEGRAM_WORK_DIR}/ rw, - owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#@{int}, - - # Telegram's profile (via telegram -many -workdir ~/some/dir/) - #owner @{TELEGRAM_WORK_DIR}/{,**} rw, - - # Autostart - owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - - owner /tmp/@{hex}-* rwk, - owner @{run}/user/@{uid}/@{hex}-* rwk, - - /dev/shm/#@{int} rw, - - owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - - /etc/fstab r, - /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/viewnior rPUx, - @{bin}/qpdfview rPx, - @{bin}/geany rPx, + owner @{tmp}/@{hex}-* rwk, + owner @{run}/user/@{uid}/@{hex}-* rwk, + owner /dev/shm/#@{int} rw, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{TELEGRAM_WORK_DIR}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/qpdfview rPx, - @{bin}/viewnior rPUx, - @{bin}/geany rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/groups/apps/zathura b/apparmor.d/groups/apps/zathura index aaa939e5..0c86abde 100644 --- a/apparmor.d/groups/apps/zathura +++ b/apparmor.d/groups/apps/zathura @@ -25,7 +25,7 @@ profile zathura @{exec_path} { owner @{user_config_dirs}/zathura/** r, owner @{user_share_dirs}/zathura/** rwk, - owner /tmp/gtkprint* rw, + owner @{tmp}/gtkprint* rw, include if exists } diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 52afd575..f241df38 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -136,11 +136,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, - owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, - owner /tmp/apt.conf.* rw, - owner /tmp/apt.data.* rw, + owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/apt.conf.* rw, + owner @{tmp}/apt.data.* rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, @@ -187,8 +187,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.less* rw, - owner /tmp/apt-changelog-*/ r, - owner /tmp/apt-changelog-*/*.changelog r, + owner @{tmp}/apt-changelog-*/ r, + owner @{tmp}/apt-changelog-*/*.changelog r, include if exists } diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 0053232f..52227b9b 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -17,7 +17,7 @@ profile apt-config @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner /tmp/tmp*/apt.conf r, + owner @{tmp}/tmp*/apt.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index c93f890d..ad1f85de 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -27,7 +27,7 @@ profile apt-extracttemplates @{exec_path} { owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner /tmp/*.{config,template}.@{rand6} rw, + owner @{tmp}/*.{config,template}.@{rand6} rw, owner /var/cache/debconf/tmp.ci/*.{config,template}.@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2334e30d..39ca7d4e 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -56,7 +56,7 @@ profile apt-key @{exec_path} { /etc/apt/trusted.gpg.d/{,*.gpg,*.asc} r, /tmp/ r, - owner /tmp/apt-key-gpghome.*/{,**} rw, + owner @{tmp}/apt-key-gpghome.*/{,**} rw, profile gpg { @@ -93,9 +93,9 @@ profile apt-key @{exec_path} { /etc/apt/trusted.gpg.d/*.gpg r, /etc/apt/trusted.gpg.d/*.gpg.lock rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}, - owner /tmp/apt-key-gpghome.*/ rw, - owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, - owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, + owner @{tmp}/apt-key-gpghome.*/ rw, + owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index ffb2d4c8..92c97cc1 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -25,9 +25,9 @@ profile apt-listbugs-migratepins @{exec_path} { /etc/apt/preferences r, - owner /tmp/pin_migration_*-@{pid}-*/ w, - owner /tmp/pin_migration_*-@{pid}-*/preferences w, - owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w, + owner @{tmp}/pin_migration_*-@{pid}-*/ w, + owner @{tmp}/pin_migration_*-@{pid}-*/preferences w, + owner @{tmp}/pin_migration_*-@{pid}-*/apt-listbugs w, include if exists } diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index ba7038db..3f4890b3 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -53,16 +53,16 @@ profile apt-listchanges @{exec_path} { owner @{PROC}/@{pid}/fd/ r, /tmp/ r, - owner /tmp/* rw, - owner /tmp/apt-listchanges*/ rw, - owner /tmp/apt-listchanges*/**/ rw, - owner /tmp/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, + owner @{tmp}/* rw, + owner @{tmp}/apt-listchanges*/ rw, + owner @{tmp}/apt-listchanges*/**/ rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, # The following is needed when apt-listchanges uses debcconf GUI frontends. include @@ -96,7 +96,7 @@ profile apt-listchanges @{exec_path} { /root/ r, /tmp/ r, - owner /tmp/apt-listchanges-tmp*.txt r, + owner @{tmp}/apt-listchanges-tmp*.txt r, } diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index e85ab0ae..94f51aa9 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -81,9 +81,9 @@ profile apt-methods-gpgv @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/apt-key-gpghome.*/ rw, - owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, - owner /tmp/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt-key-gpghome.*/ rw, + owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner @{tmp}/apt.{conf,sig,data}.* rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7b27647a..1705e9dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -66,8 +66,8 @@ profile apt-methods-http @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/aptitude-root.*/aptitude-download-* rw, - owner /tmp/apt-changelog-*/*.changelog rw, + owner @{tmp}/aptitude-root.*/aptitude-download-* rw, + owner @{tmp}/apt-changelog-*/*.changelog rw, @{run}/ubuntu-advantage/aptnews.json rw, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index fe41d8ec..06f1bb10 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -53,7 +53,7 @@ profile apt-methods-store @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/apt-changelog-*/*.changelog{,.*} rw, + owner @{tmp}/apt-changelog-*/*.changelog{,.*} rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 09d3362f..6c204e63 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -98,9 +98,9 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt rPx, # For changelogs - owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, - owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, - owner /tmp/aptitude-*.@{pid}:*/parsedchangelog* w, + owner @{tmp}/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, + owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, + owner @{tmp}/aptitude-*.@{pid}:*/parsedchangelog* w, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, @@ -108,8 +108,8 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/sensible-pager rCx -> pager, # For aptitude-run-state-bundle - owner /tmp/aptitudebug.*/ r, - owner /tmp/aptitudebug.*/** rwk, + owner @{tmp}/aptitudebug.*/ r, + owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, /var/cache/apt-xapian-index/index.[0-9]/*.glass r, @@ -121,11 +121,11 @@ profile aptitude @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, /tmp/ r, - owner /tmp/aptitude-*.@{pid}:*/ rw, - owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw, /tmp/aptitude-*.@{pid}:*/pkgstates* r, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/aptitude-*.@{pid}:*/ rw, + owner @{tmp}/aptitude-*.@{pid}:*/{pkgstates,control}* rw, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, /var/cache/apt/ r, /var/cache/apt/** rwk, @@ -180,7 +180,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{HOME}/.less* rw, - owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, + owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, # For shell pwd /root/ r, diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle index 7e9ac716..330af646 100644 --- a/apparmor.d/groups/apt/aptitude-run-state-bundle +++ b/apparmor.d/groups/apt/aptitude-run-state-bundle @@ -24,7 +24,7 @@ profile aptitude-run-state-bundle @{exec_path} { @{bin}/aptitude-curses rPx, - owner /tmp/aptitudebug.*/{,**} rw, + owner @{tmp}/aptitudebug.*/{,**} rw, include if exists } diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index d5dbe9bb..c15be86e 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -41,8 +41,8 @@ profile debsign @{exec_path} { owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner /tmp/debsign.*/ rw, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, + owner @{tmp}/debsign.*/ rw, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, profile gpg { include @@ -52,8 +52,8 @@ profile debsign @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo} r, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo}.asc rw, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw, } diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 0f60c730..0402418d 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -67,7 +67,7 @@ profile dpkg @{exec_path} { /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, - owner /tmp/apt-dpkg-install-*/ r, + owner @{tmp}/apt-dpkg-install-*/ r, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index 2ffaadc4..62351f92 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -29,7 +29,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, # file_inherit - owner /tmp/* rw, + owner @{tmp}/* rw, profile ccache { diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index b0ba38bf..a463d54e 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -25,13 +25,13 @@ profile dpkg-deb @{exec_path} { owner /var/lib/dpkg/tmp.ci/* w, # For creating deb packages - owner /tmp/dpkg-deb.* rw, + owner @{tmp}/dpkg-deb.* rw, - owner /tmp/dpkg-deb.*/ rw, - owner /tmp/dpkg-deb.*/* rw, + owner @{tmp}/dpkg-deb.*/ rw, + owner @{tmp}/dpkg-deb.*/* rw, # For extracting deb packages to /tmp/ - owner /tmp/** rw, + owner @{tmp}/** rw, /var/cache/apt/archives/*.deb r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 14ec46d7..9d8d3330 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -39,8 +39,8 @@ profile dpkg-preconfigure @{exec_path} { /etc/inputrc r, /etc/shadow r, - owner /tmp/*.template.* rw, - owner /tmp/*.config.* rwPUx, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index eb91add8..cc2a5e84 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -77,8 +77,8 @@ profile reportbug @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner /tmp/* rw, - owner /tmp/reportbug-*-@{int}-@{pid}-* rw, + owner @{tmp}/* rw, + owner @{tmp}/reportbug-*-@{int}-@{pid}-* rw, owner /var/tmp/*.bug{,~} rw, @{sys}/module/apparmor/parameters/enabled r, @@ -101,7 +101,7 @@ profile reportbug @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/reportbug-*-{signed,unsigned}-* rw, + owner @{tmp}/reportbug-*-{signed,unsigned}-* rw, owner @{HOME}/draftbugreports/reportbug-*-{signed,unsigned}-* rw, include if exists diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index fca72cb7..2423ff3d 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -132,8 +132,8 @@ profile synaptic @{exec_path} { /etc/machine-id r, /tmp/ r, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, /var/cache/apt/ r, /var/cache/apt/** rwk, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index aa0b7bde..9ab8fc69 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -103,7 +103,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, - owner /tmp/apt-dpkg-install-*/{,*} rw, + owner @{tmp}/apt-dpkg-install-*/{,*} rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index af3ea866..b88df258 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -37,10 +37,10 @@ profile brave @{exec_path} { owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, owner @{cache_dirs}/BraveSoftware/ rw, - owner /tmp/net-export/ rw, # For brave://net-export/ + owner @{tmp}/net-export/ rw, # For brave://net-export/ - owner /tmp/.org.chromium.Chromium.* rwk, - owner /tmp/.org.chromium.Chromium*/{,**} rw, + owner @{tmp}/.org.chromium.Chromium.* rwk, + owner @{tmp}/.org.chromium.Chromium*/{,**} rw, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index f3037f5b..818c9dce 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -38,9 +38,9 @@ profile chromium-wrapper @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/chromiumargs.@{rand6} rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, + owner @{tmp}/chromiumargs.@{rand6} rw, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/** rwk, owner /dev/tty@{int} rw, /dev/dri/card[0-9] rw, diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator new file mode 100644 index 00000000..1ec92c1b --- /dev/null +++ b/apparmor.d/groups/browsers/ephy-profile-migrator @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/epiphany/ephy-profile-migrator +profile ephy-profile-migrator @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/epiphany/** rw, + owner @{user_config_dirs}/epiphany/{,**} rw, + owner @{user_share_dirs}/epiphany/.migrated{,.@{rand6}} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany new file mode 100644 index 00000000..8809be13 --- /dev/null +++ b/apparmor.d/groups/browsers/epiphany @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/epiphany +profile epiphany @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + + capability dac_override, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{exec_path} mr, + + @{bin}/bwrap rix, + @{bin}/xdg-dbus-proxy rix, + @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, + + owner /bindfile@{rand6} rw, + owner /.flatpak-info r, + + owner @{user_config_dirs}/glib-2.0/ w, + owner @{user_config_dirs}/glib-2.0/settings/ w, + + owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, + owner @{tmp}/Serialized@{rand9} rw, + owner @{tmp}/WebKit-Media-@{rand6} rw, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + /dev/video@{int} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index d3521ac0..224b4cc7 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -119,6 +119,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/mailcap r, /etc/mime.types r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -155,32 +156,27 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/.xfsm-ICE-@{rand6} rw, - owner /tmp/@{name}/ rw, - owner /tmp/@{name}/* rwk, - owner /tmp/@{rand6}.tmp r, - owner /tmp/@{rand8}.txt w, - owner /tmp/* w, # file downloads (to anywhere) - owner /tmp/firefox_*/ rw, - owner /tmp/firefox_*/* rwk, - owner /tmp/mozilla_*/ rw, - owner /tmp/mozilla_*/* rw, - owner /tmp/mozilla-temp-@{int} rw, - owner /tmp/Mozilla@{uuid}-cachePurge-??????????????? rwk, - owner /tmp/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, - owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, - owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, - owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk, - owner /tmp/Temp-@{uuid}/{**,} rw, - owner /tmp/tmp-???.xpi rw, - owner /tmp/tmpaddon r, - owner /tmp/tmpaddon-@{int} r, - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/@{name}/ rw, - owner /tmp/user/@{uid}/@{name}/* rwk, - owner /tmp/user/@{uid}/* rwk, - owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, - owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, + owner @{tmp}/.xfsm-ICE-@{rand6} rw, + owner @{tmp}/@{name}/ rw, + owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp r, + owner @{tmp}/@{rand8}.txt w, + owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/firefox_*/ rw, + owner @{tmp}/firefox_*/* rwk, + owner @{tmp}/mozilla_*/ rw, + owner @{tmp}/mozilla_*/* rw, + owner @{tmp}/mozilla-temp-@{int} rw, + owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, + owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/Temp-@{uuid}/** rwk, + owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon-@{int} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 2ba1f1f9..e6f8f6b6 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -46,8 +46,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/@{hex}.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, + owner @{tmp}/@{hex}.{dmp,extra} rw, + owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index b86b72a1..62338ee2 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -21,7 +21,7 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/firefox/*/.parentlock rw, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index e0634430..7c436755 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -34,8 +34,8 @@ profile firefox-minidump-analyzer @{exec_path} { owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r, - owner /tmp/@{hex}.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, + owner @{tmp}/@{hex}.{dmp,extra} rw, + owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index ea61658a..deb2735c 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -20,7 +20,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, deny @{config_dirs}/firefox/*/.parentlock rw, deny @{config_dirs}/firefox/*/startupCache/** r, diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge new file mode 100644 index 00000000..d129fc19 --- /dev/null +++ b/apparmor.d/groups/browsers/msedge @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = msedge{,-beta,-dev} +@{domain} = com.microsoft.Edge +@{lib_dirs} = /opt/microsoft/@{name} +@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} +@{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/@{name} +profile msedge @{exec_path} { + include + include + + @{exec_path} mrix, + + @{bin}/man rPUx, # For "chrome --help" + + @{lib_dirs}/xdg-mime rix, #-> xdg-mime, + @{lib_dirs}/xdg-settings rix, #-> xdg-settings, + + @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, + @{lib_dirs}/msedge_crashpad_handler rPx, + + @{lib_dirs}/*.so* mr, + @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + + owner @{user_cache_dirs}/Microsoft/ rw, + owner @{user_cache_dirs}/Microsoft/** rwk, + + owner @{tmp}/.ses rw, + owner @{tmp}/cv_debug.log rw, + + include if exists +} diff --git a/apparmor.d/groups/browsers/msedge-crashpad-handlers b/apparmor.d/groups/browsers/msedge-crashpad-handlers new file mode 100644 index 00000000..6f453c65 --- /dev/null +++ b/apparmor.d/groups/browsers/msedge-crashpad-handlers @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} +@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/msedge_crashpad_handler +profile msedge-crashpad-handler @{exec_path} { + include + + capability sys_ptrace, + + ptrace peer=msedge, + signal (send) peer=msedge, + + @{exec_path} mrix, + + owner "@{config_dirs}/Crash Reports/**" rwk, + + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/mem r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/task/ r, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + + include if exists +} diff --git a/apparmor.d/groups/browsers/msedge-sandbox b/apparmor.d/groups/browsers/msedge-sandbox new file mode 100644 index 00000000..f708d2d4 --- /dev/null +++ b/apparmor.d/groups/browsers/msedge-sandbox @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/msedge-sandbox +profile msedge-sandbox @{exec_path} { + include + + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_resource, + + @{exec_path} mr, + + @{lib_dirs}/msedge{,-beta,-dev} rPx, + + @{PROC} r, + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + include if exists +} diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper new file mode 100644 index 00000000..e141cff7 --- /dev/null +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/microsoft-edge{,-beta,-dev} +profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/dirname rix, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, + + @{lib_dirs}/msedge rPx, + + owner @{user_config_dirs}/msedge-flags.conf r, + + owner @{PROC}/@{pid}/fd/* rw, + + # File Inherit + owner @{HOME}/.xsession-errors w, + + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 8a56a9b8..f3a857a4 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -17,7 +17,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm, + signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, dbus bus=accessibility, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 118e951e..5e8733b9 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -55,7 +55,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, @@ -71,7 +71,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { /etc/cron.*/ r, /etc/cron.*/* rPUx, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index c2d80609..4b0e1c57 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -75,16 +75,16 @@ profile cron-apt @{exec_path} { # TMP /tmp/ r, - owner /tmp/cron-apt.*/ rw, - owner /tmp/cron-apt.*/difftemp rw, - owner /tmp/cron-apt.*/lockfile rw, - owner /tmp/cron-apt.*/initlog rw, - owner /tmp/cron-apt.*/status rw, - owner /tmp/cron-apt.*/run{log,error,mail,syslog} rw, - owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw, + owner @{tmp}/cron-apt.*/ rw, + owner @{tmp}/cron-apt.*/difftemp rw, + owner @{tmp}/cron-apt.*/lockfile rw, + owner @{tmp}/cron-apt.*/initlog rw, + owner @{tmp}/cron-apt.*/status rw, + owner @{tmp}/cron-apt.*/run{log,error,mail,syslog} rw, + owner @{tmp}/cron-apt.*/action{log,error,mail,syslog} rw, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 0a0d2840..aadae9bf 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -54,11 +54,11 @@ profile cron-popularity-contest @{exec_path} { /var/lib/popularity-contest/ rw, /var/lib/popularity-contest/lastsub rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/random_seed w, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/random_seed w, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, profile savelog { @@ -83,7 +83,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest rw, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -107,7 +107,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.new w, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -124,10 +124,10 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int} r, /var/log/popularity-contest.@{int}.gpg rw, - owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**, + owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -152,7 +152,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int}.gpg r, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 28f90614..86e19b93 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -30,7 +30,7 @@ profile crontab @{exec_path} { /var/spool/cron/crontabs/ rw, owner /var/spool/cron/crontabs/* rw, - owner /tmp/crontab.*/{,crontab} rw, + owner @{tmp}/crontab.*/{,crontab} rw, profile editor { @@ -51,7 +51,7 @@ profile crontab @{exec_path} { owner @{HOME}/.viminfo{,.tmp} rw, /tmp/ r, - owner /tmp/crontab.*/crontab rw, + owner @{tmp}/crontab.*/crontab rw, # file_inherit /etc/cron.{allow,deny} r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 37d2d980..ad98cdef 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -65,9 +65,8 @@ profile x11-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/file* rw, - owner /tmp/tmp.@{rand10} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/file* rw, + owner @{tmp}/tmp.@{rand10} rw, profile ssh-agent { include @@ -88,8 +87,8 @@ profile x11-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, include if exists } diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 53cab22f..11f829df 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -75,8 +75,8 @@ profile xdm-xsession @{exec_path} { @{run}/user/@{uid}/xauth_@{rand6} rl, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index e36b4b21..616d7a1f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -75,7 +75,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { # wtmp.d ? /var/log/wtmp r, - owner /tmp/gnome-control-center-user-icon-@{rand6} rw, + owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 70184421..7ef2e530 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -14,7 +14,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term kill hup) peer=dbus-session, - signal (receive) set=(term hup) peer=gdm, + signal (receive) set=(term hup) peer=gdm{,-session-worker}, #aa:dbus own bus=session name=ca.desrt.dconf diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 25785b33..29a8f790 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -49,7 +49,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/pipewire/{,**} r, - owner /tmp/librnnoise-@{int}.so rm, + owner @{tmp}/librnnoise-@{int}.so rm, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 13331e33..dc4d6822 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -32,7 +32,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, owner @{run}/user/@{uid}/pulse/pid w, - owner /tmp/librnnoise-@{int}.so rm, + owner @{tmp}/librnnoise-@{int}.so rm, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 3fbb2389..0b3fac14 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -10,7 +10,8 @@ include profile plymouthd @{exec_path} { include include - include + include + include capability checkpoint_restore, capability dac_override, @@ -52,7 +53,6 @@ profile plymouthd @{exec_path} { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/graphics/ r, - @{sys}/devices/@{pci}/{,uevent,vendor,device} r, @{sys}/devices/virtual/graphics/fbcon/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 5f48d5c2..f1d235c9 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,7 +12,6 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 3e8f651c..82bc555d 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -37,8 +37,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected) owner @{user_cache_dirs}/icon-cache.kcache rw, - owner /tmp/#@{int} rw, - owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 038b4059..b8ee7c4a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -78,12 +78,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{,3}/greeter-dconf-defaults r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/lib/flatpak/exports/share/applications/{**,} r, - @{user_config_dirs}/kioslaverc r, - owner /tmp/icon* rw, + owner @{tmp}/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1084a534..a8ff71d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -72,8 +72,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{HOME}/*/{,**} rw, - owner /tmp/.goutputstream-@{rand6} rw, - owner /tmp/@{rand6} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/@{rand6} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 03d3bb35..171a7185 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -62,12 +62,9 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/.icons/{,**} r, owner @{HOME}/@{XDG_DATA_DIR}/ r, - owner /tmp/runtime-*/xauth_@{rand6} r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, - @{run}/mount/utab r, - @{run}/user/@{uid}/xauth_@{rand6} rl, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 912c1835..7959a4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -33,7 +33,7 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { /usr/share/icons/*/.xdg-icon-resource-dummy rw, /usr/share/terminfo/** r, - owner /tmp/.com.google.Chrome.*/chrome-*.png r, + owner @{tmp}/.com.google.Chrome.*/chrome-*.png r, owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw, owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index af03c344..9b655a40 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -36,7 +36,7 @@ profile xdg-screensaver @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.Xauthority r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 2296787d..d55a3ac9 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -31,7 +31,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/server-@{int}.xkm rwk, - owner /tmp/server-@{int}.xkm rwk, + owner @{tmp}/server-@{int}.xkm rwk, /dev/dri/card@{int} rw, /dev/fb@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 7d9536f9..6de7b493 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -83,10 +83,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/server-@{int}.xkm rw, - owner /tmp/.tX@{int}-lock rwk, - owner /tmp/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock, - owner /tmp/server-* rwk, - owner /tmp/serverauth.* r, + owner @{tmp}/.tX@{int}-lock rwk, + owner @{tmp}/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock, + owner @{tmp}/server-* rwk, + owner @{tmp}/serverauth.* r, @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index c9698ba1..dd837aa5 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xprop -profile xprop @{exec_path} { +profile xprop @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 50b79e33..0947721d 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -37,12 +37,12 @@ profile xrdb @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log w, - owner /tmp/kcminit.* r, - owner /tmp/kded{5,6}.@{rand6} r, - owner /tmp/plasma-apply-lookandfeel.* r, - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/startplasma-x11.@{rand6} r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/kcminit.* r, + owner @{tmp}/kded{5,6}.@{rand6} r, + owner @{tmp}/plasma-apply-lookandfeel.* r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, + owner @{tmp}/startplasma-x11.@{rand6} r, + owner @{tmp}/xauth-@{int}-_[0-9] r, @{run}/sddm/\{@{uuid}\} r, @{run}/sddm/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 34490cc9..4564617e 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -14,6 +14,8 @@ profile xsetroot @{exec_path} { capability dac_read_search, + signal (receive) set=(kill) peer=sddm, + @{exec_path} mr, /usr/share/icons/{,**} r, @@ -27,7 +29,7 @@ profile xsetroot @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, @{run}/sddm/\{@{uuid}\} r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index fd25c221..9d457e88 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -26,7 +26,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, - owner /tmp/server-@{int}.xkm rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index e58d5877..7b840bd7 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -31,13 +31,13 @@ profile epiphany-search-provider @{exec_path} { owner @{user_cache_dirs}/epiphany/{,**} rwk, owner @{user_share_dirs}/epiphany/{,**} rwk, - owner /tmp/ContentRuleList@{rand6} rw, - owner /tmp/Serialized* rw, + owner @{tmp}/ContentRuleList@{rand6} rw, + owner @{tmp}/Serialized* rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/driver/nvidia/params r, @{PROC}/modules r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 27936849..95afc8fc 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -33,11 +33,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=gdm, signal (send) set=(hup term) peer=gdm-session, signal (send) set=hup peer=at-spi*, + signal (send) set=hup peer=dbus-accessibility, signal (send) set=hup peer=dbus-session, + signal (send) set=hup peer=dconf-service, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, + signal (send) set=hup peer=mutter-x11-frames, signal (send) set=hup peer=tracker-miner, signal (send) set=hup peer=xdg-*, signal (send) set=hup peer=xorg, @@ -45,7 +48,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 174fda70..5c26437a 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -59,7 +59,7 @@ profile gdm-xsession @{exec_path} { /etc/default/im-config r, /etc/X11/{,**} r, - owner /tmp/gdm{3,}-config-err-@{rand6} rw, + owner @{tmp}/gdm{3,}-config-err-@{rand6} rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 41a84cbc..ee5adbae 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -26,7 +26,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { owner @{HOME}/{,**} rw, - owner /tmp/wl-copy-buffer-@{rand6}/stdin r, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 292013a5..de2f97e6 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -39,11 +39,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index a23f6152..4df820c8 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.Calendar interface={org.freedesktop.Application,org.gtk.Actions} + #aa:dbus own bus=session name=org.gnome.Calendar #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 6897a11d..531a3273 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -127,7 +127,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/icc/{,edid-*} r, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index b858ab8e..f3c87abc 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -46,8 +46,6 @@ profile gnome-control-center-goa-helper @{exec_path} { /usr/share/cracklib/* r, /usr/share/publicsuffix/public_suffix_list.dafsa r, - /var/lib/flatpak/exports/share/icons/{,**} r, - owner @{user_config_dirs}/goa-1.0/accounts.conf r, owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 6c3b0b15..dbb14921 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -22,10 +22,10 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, - owner /tmp/flatpak-seccomp-@{rand6} rw, - owner /tmp/gnome-desktop-file-to-thumbnail.* r, - owner /tmp/gnome-desktop-thumbnailer.png w, - owner /tmp/gsf-thumbnailer-@{rand6} rw, + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-file-to-thumbnail.* r, + owner @{tmp}/gnome-desktop-thumbnailer.png w, + owner @{tmp}/gsf-thumbnailer-@{rand6} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index c30712f9..94be9636 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -18,7 +18,7 @@ profile gnome-disk-image-mounter @{exec_path} { # Allow to mount user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware new file mode 100644 index 00000000..e0faf16a --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-firmware +profile gnome-firmware @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 4c3f5da5..5f7d01a8 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -21,9 +21,9 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-1000@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps new file mode 100644 index 00000000..b04c0681 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-maps @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-maps /usr/share/gnome-maps/org.gnome.Maps +profile gnome-maps @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + audit @{bin}/gjs-console rix, + + owner @{user_pictures_dirs}/** rw, + + owner @{user_cache_dirs}/shumate/{,**} rw, + + owner @{user_cache_dirs}/shumate/ rw, + owner @{user_cache_dirs}/shumate/** rwlk, + + owner @{user_config_dirs}/shumate/ rw, + owner @{user_config_dirs}/shumate/** rwlk, + + owner @{user_share_dirs}/shumate/ rw, + owner @{user_share_dirs}/shumate/** rwlk, + + @{run}/mount/utab r, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index bdf96a84..f22cde87 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -47,7 +47,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, - owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, + owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, owner /var/tmp/etilqs_@{hex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 051f0afd..9c7044d0 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -11,6 +11,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include include include include @@ -19,6 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User + #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8c69b6ac..8e2c7c67 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-shell profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -20,13 +19,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include - include include include include @@ -89,10 +86,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* @@ -198,7 +196,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, - /usr/share/gnome-shell/{,**} r, /usr/share/libgweather/Locations.xml r, /usr/share/libinput*/ r, /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r, @@ -207,7 +204,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, + @{system_share_dirs}/gnome-shell/{,**} r, + / r, /.flatpak-info r, /etc/fstab r, /etc/timezone r, @@ -218,7 +217,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, - /var/lib/flatpak/exports/share/gnome-shell/{,**} r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, @@ -285,8 +283,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, - owner /tmp/@{rand6}.shell-extension.zip rw, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/@{rand6}.shell-extension.zip rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 362d1171..f4e6a126 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -29,7 +29,7 @@ profile gnome-software @{exec_path} { @{exec_path} mr, @{bin}/baobab rPUx, - @{bin}/bwrap rPUx, + @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -61,7 +61,7 @@ profile gnome-software @{exec_path} { /var/lib/flatpak/appstream/{,**} r, /var/lib/flatpak/repo/{,**} r, /var/lib/flatpak/runtime/{,**} r, - + /var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/prepared-update r, /var/lib/swcatalog/icons/**.png r, @@ -86,9 +86,9 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/#@{int} rw, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, @@ -121,8 +121,9 @@ profile gnome-software @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + @{tmp}/ r, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 67d9d7c8..d06d7214 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} { ptrace (read) peer=htop, ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal + #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 @@ -56,7 +56,7 @@ profile gnome-terminal-server @{exec_path} { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather new file mode 100644 index 00000000..1b59bcf3 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-weather @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-weather /usr/share/org.gnome.Weather/org.gnome.Weather +profile gnome-weather @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + /usr/share/org.gnome.Weather/{,**} r, + + owner @{user_cache_dirs}/libgweather/{,**} rw, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 0b722c5a..4003d175 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -31,6 +31,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 82dfac0d..e8c7b0f8 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -32,7 +32,7 @@ profile kgx @{exec_path} { @{open_path} rPx -> child-open-help, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 459970b0..c4c22af1 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -18,7 +18,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term) peer=gdm, + signal (receive) set=(hup term) peer=gdm{,-session-worker}, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 0e9ace3b..8d9c643e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -92,7 +92,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 8c89c058..8987ae31 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -36,6 +36,8 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 92a22c60..66beccbb 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -49,9 +49,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /etc/blkid.conf r, /etc/fstab r, - /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ rw, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, @@ -63,13 +60,13 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_cache_dirs}/tracker3/ w, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, - owner /tmp/tracker-extract-3-files.*/{,*} rw, + owner @{tmp}/tracker-extract-3-files.*/{,*} rw, @{run}/blkid/blkid.tab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d78217b3..6646d69d 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -66,11 +66,12 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_share_dirs}/applications/ r, owner /var/tmp/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex} rw, # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_cache_dirs}/tracker3/ rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 28931a3c..f54d7654 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -27,6 +27,8 @@ profile yelp @{exec_path} { @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, + @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 2be51ff5..35fce836 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -55,10 +55,10 @@ profile gpg @{exec_path} { owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, #aa:exclude ubuntu - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/tmp.[a-zA-Z0-9]* rw, + owner @{tmp}/tmp.[a-zA-Z0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index d600d3c1..109395ee 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -75,11 +75,11 @@ profile gpg-agent @{exec_path} { owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw, owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner /tmp/tmp.*/gnupg/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, - owner /tmp/tmp.*/gnupg/sshcontrol r, + owner @{tmp}/tmp.*/gnupg/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, + owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, + owner @{tmp}/tmp.*/gnupg/sshcontrol r, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index 4582af93..ed938177 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -22,9 +22,9 @@ profile gpg-connect-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw, - owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, - owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, + owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, include if exists } diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index f34135c8..a88c075e 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -22,7 +22,7 @@ profile grub-check-signatures @{exec_path} { /usr/share/debconf/confmodule r, - owner /tmp/tmp.*/ rw, + owner @{tmp}/tmp.*/ rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 276dd802..20a89c9f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,6 +11,10 @@ include profile gvfsd-recent @{exec_path} { include include + include + include + include + include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 56768040..8344c454 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gnome-shell), + peer=(name=:*, label="{gnome-shell,nautilus}"), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 59965425..b7fc61d2 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -13,14 +13,22 @@ profile DiscoverNotifier @{exec_path} { include include include + include network inet dgram, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink dgram, + network netlink raw, @{exec_path} mr, - @{bin}/apt-config rPx, + @{bin}/apt-config rPx, + + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, /usr/share/knotifications{5,6}/{,**} r, /usr/share/metainfo/{,**} r, @@ -28,7 +36,7 @@ profile DiscoverNotifier @{exec_path} { /etc/machine-id r, /etc/flatpak/remotes.d/{,**} r, - /var/lib/flatpak/repo/{,**} r, + /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, @@ -45,9 +53,29 @@ profile DiscoverNotifier @{exec_path} { owner @{user_share_dirs}/flatpak/{,**} rw, + owner @{tmp}/ostree-gpg-*/ rw, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{HOME}/@{XDG_GPG_DIR}/*.conf r, + + @{tmp}/ r, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + + owner @{run}/user/@{uid}/gnupg/ w, + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 2f3d0ea8..81cb07fb 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -33,7 +33,7 @@ profile baloo @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 54282725..b92bcd00 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,7 +28,42 @@ profile baloorunner @{exec_path} { /tmp/ r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + @{PROC}/sys/kernel/core_pattern r, + /dev/tty r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 5e5381da..b22386b5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -15,6 +15,7 @@ profile dolphin @{exec_path} { include include include + include include include include @@ -45,9 +46,15 @@ profile dolphin @{exec_path} { # Full access to user's data / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, - - /var/lib/flatpak/exports/share/mime/ r, + owner @{run}/user/@{uid}/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, @@ -65,7 +72,7 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/session/ rw, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 4b1841b1..ac9943a5 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -12,6 +12,9 @@ profile drkonqi-coredump-processor @{exec_path} { include include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, /etc/machine-id r, @@ -20,7 +23,11 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, + /{run,var}/log/journal/remote/ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 0977dbe4..bec3e445 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -32,11 +32,11 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, - owner /tmp/#@{int} rw, - owner /tmp/kcminit.@{rand6} rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kcminit.@{rand6} rwl, - owner /tmp/.touchpaddefaults wl, - owner /tmp/.touchpaddefaults.lock rwk, + owner @{tmp}/.touchpaddefaults wl, + owner @{tmp}/.touchpaddefaults.lock rwk, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 0d12ba6c..3294b1c5 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -91,9 +91,9 @@ profile kconf_update @{exec_path} { owner @{user_share_dirs}/krunnerstaterc.lock rwk, owner @{user_share_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/kconf_update.@{rand6}.lock rwk, - owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kconf_update.@{rand6}.lock rwk, + owner @{tmp}/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 35d5e2cd..9e596c41 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -62,7 +62,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/drm/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index be586349..d9cfaf0f 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -113,6 +113,8 @@ profile kded @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, + / r, + owner @{HOME}/.gtkrc-2.0 rw, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, @@ -177,9 +179,9 @@ profile kded @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl, - owner /tmp/#@{int} rw, - owner /tmp/kded6.@{rand6} rwl -> /tmp/#@{int}, - owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, + owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 4df7beae..3e8d2a59 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -60,7 +60,7 @@ profile kioworker @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, @@ -86,7 +86,7 @@ profile kioworker @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index b3c2853f..45cb52cf 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -36,30 +36,31 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/sounds/** r, /etc/xdg/konsolerc r, + /etc/xdg/kshorturifilterrc r, /etc/xdg/menus/{,**} r, /etc/xdg/ui/ui_standards.rc r, owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{user_config_dirs}/#@{int} rwl, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/** rwlk, owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, - owner /tmp/#@{int} rw, - owner /tmp/konsole.@{rand6} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/konsole.@{rand6} rw, @{PROC}/sys/kernel/core_pattern r, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index b2fe6006..17eaa8e8 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -91,7 +91,7 @@ profile kscreenlocker_greet @{exec_path} { deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - owner /tmp/*-cover-*.{jpg,png} r, + owner @{tmp}/*-cover-*.{jpg,png} r, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index a1981e28..e5f89829 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -43,8 +43,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/xdg/kscreenlockerrc r, /etc/xdg/menus/{,*} r, - /var/lib/flatpak/exports/share/mime/ r, - owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, @@ -64,7 +62,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, - owner /tmp/@{rand6} rw, + owner @{tmp}/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index fa8bd0b9..a13b08f3 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -30,8 +30,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { /usr/share/plasma/desktoptheme/** r, /usr/share/plasma/look-and-feel/** r, /var/lib/AccountsService/icons/ r, - /var/lib/flatpak/exports/share/icons/{,**} r, - /var/lib/flatpak/exports/share/mime/generic-icons r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index aca93c0e..1080978c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -22,8 +22,6 @@ profile kstart @{exec_path} flags=(attach_disconnected) { @{bin}/** rPUx, @{bin}/konsole rPx, - /var/lib/flatpak/exports/share/mime/ r, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index eb36bd8a..5aa42fb3 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -41,7 +41,7 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner /tmp/kwalletd5.* rw, + owner @{tmp}/kwalletd5.* rw, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 6b570b1d..9a513c62 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -52,6 +52,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/machine-id r, /var/lib/dbus/machine-id r, + / r, + owner @{HOME}/ r, + owner @{sddm_cache_dirs}/#@{int} rwk, owner @{sddm_cache_dirs}/fontconfig/* rwk, owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.LCK l -> @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.TMP-@{rand6}, @@ -73,7 +76,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/kwin/ rw, - owner @{user_cache_dirs}/kwin/** rwl -> @{user_cache_dirs}/kwin/**, + owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index d7db0a64..cd43b074 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -56,8 +56,8 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/#@{int} rw, - owner /tmp/#@{int} rw, - owner /tmp/kwin.@{rand6} rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kwin.@{rand6} rwl, owner @{run}/user/@{uid}/kcrash_@{int} rw, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index fa00bcc1..71a982ca 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -45,8 +45,8 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, - owner /tmp/#@{int} rw, - owner /tmp/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index a9be8644..93b11c81 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -28,12 +28,11 @@ profile plasma-browser-integration-host @{exec_path} { /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - /var/lib/flatpak/exports/share/mime/ r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index c06c3c18..6b8269b4 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -83,11 +83,11 @@ profile plasma-discover @{exec_path} { owner @{user_share_dirs}/kwin/ rw, owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**, - owner /tmp/*.kwinscript rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/discover-@{rand6}/{,**} rw, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/discover-@{rand6}/{,**} rw, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw, @@ -109,8 +109,8 @@ profile plasma-discover @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } diff --git a/apparmor.d/groups/kde/plasma-emojier b/apparmor.d/groups/kde/plasma-emojier new file mode 100644 index 00000000..58339039 --- /dev/null +++ b/apparmor.d/groups/kde/plasma-emojier @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/plasma-emojier +profile plasma-emojier @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/plasma.emojier/{,**} rw, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/plasma.emojierrc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/plasma.emojierrc.lock rwk, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index c3515edb..ec5450de 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index dc64e6be..403c7eb5 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -69,6 +69,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, + /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, @@ -79,8 +80,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/fstab r, /etc/ksysguarddrc r, /etc/machine-id r, - /etc/sensors3.conf r, + /etc/os-release r, /etc/sensors.d/ r, + /etc/sensors3.conf r, /etc/xdg/** r, /var/lib/AccountsService/icons/* r, @@ -105,6 +107,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, + owner @{user_cache_dirs}/plasma_engine_potd/{,**} rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, @@ -164,9 +167,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, owner @{user_share_dirs}/user-places.xbel{,*} rwl, + owner @{user_share_dirs}/wallpapers/{,**} rw, /tmp/.mount_nextcl@{rand6}/{,*} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index adc56bae..3939eeb9 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -42,6 +42,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(hup) peer=@{p_systemd}, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, + signal (send) set=(kill, term) peer=xsetroot, signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, @@ -76,6 +77,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/disable-paste rix, @{bin}/locale rix, @{bin}/manpath rix, + @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, @@ -151,6 +153,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw, owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw, + owner @{HOME}/ r, owner @{HOME}/.local/ w, owner @{HOME}/.Xauthority rw, @@ -165,9 +168,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/sddm-* rw, /tmp/xauth_@{rand6} rwl -> /tmp/#@{int}, - owner /tmp/*/{,s} rw, - owner /tmp/#@{int} rw, - owner /tmp/sddm-auth* rw, + owner @{tmp}/*/{,s} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/sddm-auth* rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f19aaf47..eb894313 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -37,6 +37,7 @@ profile sddm-greeter @{exec_path} { /usr/share/hunspell/** r, /etc/fstab r, + /etc/os-release r, /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, @@ -62,8 +63,8 @@ profile sddm-greeter @{exec_path} { deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - owner /tmp/runtime-sddm/ rw, - owner /tmp/sddm-:@{int}-@{rand6} rw, + owner @{tmp}/runtime-sddm/ rw, + owner @{tmp}/sddm-:@{int}-@{rand6} rw, owner @{run}/sddm/{,*} rw, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 52f0903b..55896c8c 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -70,9 +70,9 @@ profile sddm-xsession @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log w, - owner /tmp/xsess-env-* rw, - owner /tmp/file* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/xsess-env-* rw, + owner @{tmp}/file* rw, + owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 4d26e0a5..7c11a414 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -65,6 +65,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, owner @{user_config_dirs}/plasma-localerc rwl, owner @{user_config_dirs}/plasma-localerc.lock rwk, owner @{user_config_dirs}/plasma-workspace/env/ r, @@ -72,12 +73,13 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/sddm/wayland-session.log rw, owner @{user_share_dirs}/sddm/xorg-session.log rw, - owner /tmp/#@{int} rw, - owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index cc96b067..b7db4114 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -18,7 +18,7 @@ profile xembedsniproxy @{exec_path} { /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index c8cf1d5d..9c84c2bc 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -16,7 +16,7 @@ profile xsettingsd @{exec_path} { owner @{user_config_dirs}/xsettingsd/{,**} rw, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, owner @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 83721600..7ba42ab0 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -57,8 +57,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner /tmp/@{uuid} rw, - owner /tmp/talpid-openvpn-@{uuid} rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 86f11b55..2ba5ee9a 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -30,7 +30,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/dconf/user rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, @{run}/systemd/inhibit/*.ref rw, diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 1df0cb15..78fefff1 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -20,11 +20,11 @@ profile archlinux-keyring-wkd-sync @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/dirmngr rix, - @{bin}/gpg{,2} rix, @{bin}/gpg-agent rix, + @{bin}/gpg{,2} rix, @{bin}/pacman-conf rix, /etc/pacman.conf r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 511d7604..1a3a6ec4 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -55,7 +55,7 @@ profile aurpublish @{exec_path} { owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/maps r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index c5a1b83c..ba8f69d4 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -76,9 +76,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/locale.conf r, /etc/lvm/lvm.conf r, /etc/mkinitcpio.conf r, - /etc/mkinitcpio.d/{,**} r, /etc/mkinitcpio.conf.d/{,**} r, + /etc/mkinitcpio.d/{,**} r, /etc/modprobe.d/{,*} r, + /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, @@ -106,8 +107,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Temp files owner @{run}/initramfs/{,**} rw, owner @{run}/mkinitcpio.@{rand6}/{,**} rw, - owner /tmp/mkinitcpio.@{rand6} rw, - owner /tmp/mkinitcpio.@{rand6}/{,**} rw, + owner @{tmp}/mkinitcpio.@{rand6} rw, + owner @{tmp}/mkinitcpio.@{rand6}/{,**} rw, @{sys}/class/block/ r, @{sys}/devices/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ac6bafdd..79387790 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -100,6 +100,7 @@ profile pacman @{exec_path} { @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/vlc/vlc-cache-gen rPx, + /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, /usr/share/code-marketplace/patch.py rPx, /usr/share/libalpm/scripts/* rPUx, @@ -125,9 +126,9 @@ profile pacman @{exec_path} { @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, owner /var/lib/pacman/{,**} rwl, - owner /tmp/alpm_*/{,**} rw, - owner /tmp/checkup-db-@{int}/sync/{,*.db*} rw, - owner /tmp/checkup-db-@{int}/db.lck rw, + owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, + owner @{tmp}/checkup-db-@{int}/db.lck rw, @{run}/utmp rk, @@ -189,6 +190,19 @@ profile pacman @{exec_path} { include capability net_admin, + capability dac_read_search, + capability sys_resource, + + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/diff rPx -> child-pager, + + /etc/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/*.journal* r, include if exists } diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0ea99782..bc60b577 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -42,7 +42,7 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner /tmp/ssh-*/{,agent.@{int}} rwkl, + owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/keyring/ssh rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 84da0a5f..a3e29d9d 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, owner @{run}/user/@{uid}/keyring/.ssh rw, owner @{run}/user/@{uid}/openssh_agent rw, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 39315e7c..ac9c4771 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -37,8 +37,8 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, - owner /tmp/*.coredump w, - owner /tmp/core.* w, + owner @{tmp}/*.coredump w, + owner @{tmp}/core.* w, owner /var/tmp/coredump-* rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index e8659803..3793c838 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -39,10 +39,10 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, owner /{run,var}/log/journal/@{hex32}/fss wl -> /var/log/journal/@{hex32}/fss.tmp.*, owner /{run,var}/log/journal/@{hex32}/fss.tmp.* rw, owner /var/tmp/#@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 9c06aa64..95ce9f2e 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -40,7 +40,7 @@ profile systemd-analyze @{exec_path} { /etc/locale.conf r, /etc/systemd/** r, - owner /tmp/systemd-temporary-*/ rw, + owner @{tmp}/systemd-temporary-*/ rw, @{run}/systemd/generator/ r, @{run}/systemd/private rw, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 5490b0da..6ba2ee8e 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -35,7 +35,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{user_projects_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - owner /tmp/dissect-@{rand6}/{,**} rw, + owner @{tmp}/dissect-@{rand6}/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/{,**} r, @{sys}/kernel/uevent_seqnum r, diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto index b1b9fbc9..5ae2b926 100644 --- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto @@ -20,6 +20,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { /boot/ r, /efi/ r, /etc/fstab r, + /usr/ r, @{run}/systemd/generator.late/**.{,auto}mount w, @{run}/systemd/generator.late/local-fs.target.wants/ w, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index b4efcdc5..d37284ec 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -32,6 +32,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/.#machine-info@{rand6} rw, /etc/machine-id r, /etc/machine-info rw, + /etc/os-release r, @{run}/systemd/default-hostname rw, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index 6de9639c..bdb8825b 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -17,6 +17,8 @@ profile systemd-shutdown @{exec_path} { capability sys_ptrace, capability sys_resource, + mount options=(rw rprivate) -> /, + signal (send) set=(stop, cont, term, kill), signal (receive) set=(rtmin+23) peer=plymouthd, @@ -24,6 +26,7 @@ profile systemd-shutdown @{exec_path} { @{PROC}/ r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/sys/kernel/core_pattern w, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index ad3a2d56..662645f1 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} { /usr/share/distro-info/*.csv r, /usr/share/xml/iso-codes/{,**} r, - owner /tmp/???????? rw, # unconventional '_' tail - owner /tmp/tmp????????/ w, # change to 'c' - owner /tmp/tmp????????/apt.conf w, + owner @{tmp}/???????? rw, # unconventional '_' tail + owner @{tmp}/tmp????????/ w, # change to 'c' + owner @{tmp}/tmp????????/apt.conf w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index d1c8bcdd..7d965795 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -73,9 +73,9 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/ubuntu-advantage/status.json r, - owner /tmp/???????? rw, - owner /tmp/tmp????????/ rw, # change to 'c' - owner /tmp/tmp????????/apt.conf rw, + owner @{tmp}/???????? rw, + owner @{tmp}/tmp????????/ rw, # change to 'c' + owner @{tmp}/tmp????????/apt.conf rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index be70afcb..6307745c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -53,9 +53,9 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, - owner /tmp/tmp[0-9a-z]*/apt.conf r, - owner /tmp/[0-9a-z]*{,/} rw, - owner /tmp/[0-9a-z]*/apt-helper-output rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, + owner @{tmp}/[0-9a-z]*{,/} rw, + owner @{tmp}/[0-9a-z]*/apt-helper-output rw, @{run}/ubuntu-advantage/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 54b347b3..0e1568e8 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -80,7 +80,7 @@ profile update-notifier @{exec_path} { owner @{run}/user/@{uid}/update-notifier.pid rwk, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f52e19d4..c9898374 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -88,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /tmp/cri-containerd.apparmor.d@{int} rwl, /tmp/ctd-volume@{int}/{,**} rw, - owner /tmp/** rwkl, + owner @{tmp}/** rwkl, owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index f8cc5b7f..145a095f 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -98,7 +98,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{run}/xtables.lock rwk, owner /var/tmp/** rwkl, - owner /tmp/** rwkl, + owner @{tmp}/** rwkl, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cpuset r, diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start index 6f93ee27..bcca090f 100644 --- a/apparmor.d/groups/whonix/sdwdate-start +++ b/apparmor.d/groups/whonix/sdwdate-start @@ -20,7 +20,7 @@ profile sdwdate-start @{exec_path} { @{bin}/mkfifo rix, @{bin}/inotifywait rix, - owner /tmp/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/sdwdate/ rw, owner @{run}/sdwdate/status rw, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index b7672e06..cb63d603 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -64,6 +64,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { /etc/mailcap r, /etc/mime.types r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -82,18 +83,18 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/* rwk, - owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, - owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, - owner /tmp/user/@{uid}/firefox/ rw, - owner /tmp/user/@{uid}/firefox/* rwk, - owner /tmp/@{name}/ rw, - owner /tmp/@{name}/* rwk, - owner /tmp/Temp-@{uuid}/ rw, - owner "/tmp/Tor Project*/" rw, - owner "/tmp/Tor Project*/**" rwk, - owner "/tmp/Tor Project*" rwk, + owner @{tmp}/ rw, + owner @{tmp}/* w, + owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/Temp-@{uuid}/* rwk, + owner @{tmp}/firefox/ rw, + owner @{tmp}/firefox/* rwk, + owner @{tmp}/@{name}/ rw, + owner @{tmp}/@{name}/* rwk, + owner @{tmp}/Temp-@{uuid}/ rw, + owner "@{tmp}/Tor Project*/" rw, + owner "@{tmp}/Tor Project*/**" rwk, + owner "@{tmp}/Tor Project*" rwk, @{run}/mount/utab r, @@ -163,4 +164,4 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { deny @{PROC}/@{pid}/net/route r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/whonix/torbrowser-glxtest index eb0b24a7..7a7295bf 100644 --- a/apparmor.d/groups/whonix/torbrowser-glxtest +++ b/apparmor.d/groups/whonix/torbrowser-glxtest @@ -23,7 +23,7 @@ profile torbrowser-glxtest @{exec_path} { owner @{config_dirs}/.parentlock rw, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix index d9348805..4dc8e792 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix +++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix @@ -30,7 +30,7 @@ profile torbrowser-updater-permission-fix @{exec_path} { /var/cache/tb-binary/{,**} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/whonix/torbrowser-vaapitest index 9217c5f6..5d284a93 100644 --- a/apparmor.d/groups/whonix/torbrowser-vaapitest +++ b/apparmor.d/groups/whonix/torbrowser-vaapitest @@ -21,7 +21,7 @@ profile torbrowser-vaapitest @{exec_path} { @{exec_path} mr, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, deny @{config_dirs}/.parentlock rw, deny @{config_dirs}/startupCache/** r, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index b3d9f446..8847bba3 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -43,8 +43,7 @@ profile torbrowser-wrapper @{exec_path} { owner @{HOME}/.tb/{,**} rw, owner /var/cache/tb-binary/{,**} rw, - owner /tmp/tmp.@{rand10} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/mount/utab r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index b668553b..3a53fc06 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -38,7 +38,7 @@ profile thunar @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index eff39f18..705fb9aa 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -45,8 +45,7 @@ profile xfce-session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - owner /tmp/.xfsm-ICE-@{rand6} rw, - owner /tmp/user/@{uid}/.xfsm-ICE-@{rand6} rw, + owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 2adeb97c..92d8d083 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -36,7 +36,7 @@ profile xfce-terminal @{exec_path} { owner @{user_config_dirs}/xfce4/terminal/{,**} r, - owner /tmp/user/@{uid}/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 51835f9d..f2e63b8c 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -33,8 +33,8 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner /tmp/@{rand8} rw, - owner /tmp/apparmor-bugreport-*.txt rw, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-*.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index be97ad46..bbdc782a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -24,7 +24,7 @@ profile adb @{exec_path} { /usr/share/scrcpy/scrcpy-server r, - owner /tmp/adb.@{int}.log rw, + owner @{tmp}/adb.@{int}.log rw, owner @{HOME}/.android/ rw, owner @{HOME}/.android/adb.@{int} rw, diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 22854ae2..d813c2d6 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -35,8 +35,8 @@ profile anacron @{exec_path} { /etc/cron.*/ r, /etc/cron.*/* rPUx, - owner /tmp/#@{int} rw, - owner /tmp/file@{rand6} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/file@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index b24b6c13..44a86240 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -61,8 +61,8 @@ profile anyremote @{exec_path} { @{bin}/mpv rPx, @{bin}/strawberry rPx, - owner /tmp/amarok_covers/ rw, - owner /tmp/*.png rw, + owner @{tmp}/amarok_covers/ rw, + owner @{tmp}/*.png rw, # For shell pwd owner @{HOME}/ r, @@ -92,9 +92,9 @@ profile anyremote @{exec_path} { owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, /tmp/ r, - owner /tmp/*.png rw, - owner /tmp/amarok_covers/* rw, - owner /tmp/magick-* rw, + owner @{tmp}/*.png rw, + owner @{tmp}/amarok_covers/* rw, + owner @{tmp}/magick-* rw, } diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index a38d04e7..ee442861 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -36,7 +36,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /var/lib/snapd/apparmor/{,**} r, owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw, - owner /tmp/cri-containerd.apparmor.d@{int} r, + owner @{tmp}/cri-containerd.apparmor.d@{int} r, @{sys}/kernel/security/apparmor/{,**} r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 03c56699..e280c705 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -52,9 +52,9 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, - owner /tmp/appstream-cache-*.mdb rw, - owner /tmp/appstream/ rw, - owner /tmp/appstream/appcache-*.mdb rw, + owner @{tmp}/appstream-cache-*.mdb rw, + owner @{tmp}/appstream/ rw, + owner @{tmp}/appstream/appcache-*.mdb rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 9317d403..16d4fcad 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -67,18 +67,18 @@ profile arduino @{exec_path} { owner @{HOME}/.Xauthority r, /tmp/ r, - owner /tmp/cc*.{s,res,c,o,ld,le} rw, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, - owner /tmp/untitled[0-9]*.tmp rw, - owner /tmp/untitled[0-9]*.tmp/{,**} rw, - owner /tmp/console[0-9]*.tmp rw, - owner /tmp/console[0-9]*.tmp/{,**} rw, - owner /tmp/build[0-9]*.tmp rw, - owner /tmp/build[0-9]*.tmp/{,**} rw, - owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, - owner /tmp/{library,package}_index.json*.tmp* rw, - owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, + owner @{tmp}/cc*.{s,res,c,o,ld,le} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, + owner @{tmp}/untitled[0-9]*.tmp rw, + owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, + owner @{tmp}/console[0-9]*.tmp rw, + owner @{tmp}/console[0-9]*.tmp/{,**} rw, + owner @{tmp}/build[0-9]*.tmp rw, + owner @{tmp}/build[0-9]*.tmp/{,**} rw, + owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw, + owner @{tmp}/{library,package}_index.json*.tmp* rw, + owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw, owner @{run}/lock/tmp* rw, owner @{run}/lock/LCK..ttyS[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 129737f7..0eb54afe 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -42,10 +42,10 @@ profile arduino-builder @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, /tmp/ r, - owner /tmp/cc* rw, - owner /tmp/untitled[0-9]*.tmp/{,**} rw, - owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, - owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, + owner @{tmp}/cc* rw, + owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, + owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw, + owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index 144783ca..c97b0096 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -13,9 +13,9 @@ profile arduino-ctags @{exec_path} { @{exec_path} mr, - owner /tmp/tags.* rw, + owner @{tmp}/tags.* rw, - owner /tmp/arduino_build_@{int}/** r, + owner @{tmp}/arduino_build_@{int}/** r, include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 97903a49..a1caf6bc 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -60,10 +60,10 @@ profile atril @{exec_path} { owner @{user_share_dirs}/ r, - owner /tmp/gtkprint_* rw, - owner /tmp/settings*.ini rw, - owner /tmp/settings*.ini.* rw, - owner /tmp/atril-@{pid}/{,**} rw, + owner @{tmp}/gtkprint_* rw, + owner @{tmp}/settings*.ini rw, + owner @{tmp}/settings*.ini.* rw, + owner @{tmp}/atril-@{pid}/{,**} rw, @{sys}/firmware/acpi/pm_profile r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 3c20ab27..f5a83b69 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -28,7 +28,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { /etc/audit/audit.rules rw, /etc/audit/rules.d/{,*} r, - owner /tmp/aurules.@{rand8} rw, + owner @{tmp}/aurules.@{rand8} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 929a98ef..972ee380 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -10,16 +10,11 @@ include @{exec_path} = @{bin}/birdtray profile birdtray @{exec_path} { include - include - include - include + include include - include - include - include - include - include + include include + include include network inet dgram, @@ -28,20 +23,13 @@ profile birdtray @{exec_path} { @{exec_path} mr, - # To be able to start Thunderbird - @{bin}/thunderbird rPx, - - @{bin}/xdg-open rCx -> open, + @{bin}/thunderbird rPx, + @{open_path} rPx -> child-open, /usr/share/ulduzsoft/birdtray/{,**} r, - owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, - - owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, - - owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w, + /var/lib/dbus/machine-id r, + /etc/machine-id r, # Thunderbird mail dirs owner @{HOME}/ r, @@ -51,47 +39,22 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/ r, owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/ulduzsoft/ rw, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + + owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, + + owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w, /dev/shm/#@{int} rw, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 5d6e4301..9703dcb6 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -64,12 +64,12 @@ profile borg @{exec_path} { owner @{user_config_dirs}/borg/** rw, # If /tmp/ isn't accessible, then /var/tmp/ is used. - owner /tmp/* rw, - owner /tmp/borg-cache-*/ rw, - owner /tmp/borg-cache-*/* rw, - owner /tmp/tmp*/ rw, - owner /tmp/tmp*/file rw, - owner /tmp/tmp*/idx rw, + owner @{tmp}/* rw, + owner @{tmp}/borg-cache-*/ rw, + owner @{tmp}/borg-cache-*/* rw, + owner @{tmp}/tmp*/ rw, + owner @{tmp}/tmp*/file rw, + owner @{tmp}/tmp*/idx rw, owner /var/lib/libuuid/clock.txt w, owner /var/tmp/* rw, owner /var/tmp/tmp*/ rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 33f07a98..e616a941 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -23,7 +23,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, - owner /tmp/mozilla-temp-@{int} r, + owner @{tmp}/mozilla-temp-@{int} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index f67c3738..cb651e1c 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -37,7 +37,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { owner @{user_img_dirs}/{,**} rwk, # For fsck of the btrfs filesystem directly from gparted - owner /tmp/gparted-*/ rw, + owner @{tmp}/gparted-*/ rw, @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 89a2ca71..e6c6a2e0 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -55,7 +55,7 @@ profile check-support-status @{exec_path} { owner @{HOME}/ r, /tmp/ r, - owner /tmp/debian-security-support.*/{,**} rw, + owner @{tmp}/debian-security-support.*/{,**} rw, /tmp/debian-security-support.postinst.*/output w, /var/lib/debian-security-support/ r, @@ -73,7 +73,7 @@ profile check-support-status @{exec_path} { @{bin}/debconf-escape r, @{bin}/perl r, - owner /tmp/debian-security-support.postinst.*/output r, + owner @{tmp}/debian-security-support.postinst.*/output r, } diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index d2fb1f4c..d10245d4 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -40,8 +40,8 @@ profile check-support-status-hook @{exec_path} { /root/ r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/ rw, - owner /tmp/debian-security-support.postinst.*/output rw, + owner @{tmp}/debian-security-support.postinst.*/ rw, + owner @{tmp}/debian-security-support.postinst.*/output rw, /var/lib/ r, /var/lib/debian-security-support/ r, @@ -56,7 +56,7 @@ profile check-support-status-hook @{exec_path} { @{bin}/perl r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/output r, + owner @{tmp}/debian-security-support.postinst.*/output r, } @@ -123,7 +123,7 @@ profile check-support-status-hook @{exec_path} { @{etc_ro}/security/limits.d/ r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/output w, + owner @{tmp}/debian-security-support.postinst.*/output w, } include if exists diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index ad8da5cc..885d1602 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -48,9 +48,9 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{user_mail_dirs}/ rw, owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**, - owner /tmp/claws-mail-@{int}/ rw, - owner /tmp/claws-mail-@{int}/@{hex} rw, - owner /tmp/claws-mail-@{int}/@{hex}.lock rwk, + owner @{tmp}/claws-mail-@{int}/ rw, + owner @{tmp}/claws-mail-@{int}/@{hex} rw, + owner @{tmp}/claws-mail-@{int}/@{hex}.lock rwk, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index 793bb8ea..8dcd847d 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -65,9 +65,9 @@ profile code flags=(attach_disconnected) { owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - owner /tmp/@{uuid} rw, - owner /tmp/vscode-*/{,**} rw, - owner /tmp/vscode-ipc-@{uuid}.sock rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/vscode-*/{,**} rw, + owner @{tmp}/vscode-ipc-@{uuid}.sock rw, owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index a55b03a5..8b419658 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 2437212b..fa71598f 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -141,7 +141,7 @@ profile conky @{exec_path} { @{PROC}/@{pid}/net/route r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, /usr/share/X11/XErrorDB r, diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 3ca866a6..3c4f797e 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -17,7 +17,7 @@ profile cpuid @{exec_path} { /dev/cpu/@{int}/cpuid r, - owner /tmp/cpuid* rw, + owner @{tmp}/cpuid* rw, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb index c7beb7cc..ec059f65 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -11,6 +11,8 @@ profile cups-backend-usb @{exec_path} { include include + capability net_admin, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 0c21ef9e..04ede210 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -19,7 +19,7 @@ profile cups-notifier-dbus @{exec_path} { /etc/cups/client.conf r, - owner /tmp/cups-dbus-notifier-lockfile rwk, + owner @{tmp}/cups-dbus-notifier-lockfile rwk, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 8bbc4e5d..e71c37fe 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner /tmp/[a-z0-9]* rw, + owner @{tmp}/[a-z0-9]* rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 785428b6..13bcc3b8 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -94,7 +94,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner /tmp/*_latest_print_info w, + owner @{tmp}/*_latest_print_info w, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 5d6aa5ce..1f554c4c 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -48,10 +48,10 @@ profile deltachat-desktop @{exec_path} { owner @{user_config_dirs}/DeltaChat/ rw, owner @{user_config_dirs}/DeltaChat/** rwk, - owner /tmp/@{hex}/ rw, - owner /tmp/@{hex}/db.sqlite-blobs/ rw, - owner /tmp/@{hex}/db.sqlite rwk, - owner /tmp/@{hex}/db.sqlite-journal rw, + owner @{tmp}/@{hex}/ rw, + owner @{tmp}/@{hex}/db.sqlite-blobs/ rw, + owner @{tmp}/@{hex}/db.sqlite rwk, + owner @{tmp}/@{hex}/db.sqlite-journal rw, @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 418caf38..45faf18a 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -56,8 +56,8 @@ profile dhclient-script @{exec_path} { /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, - owner /tmp/dhclient-script.debug rw, - owner /tmp/variables.txt w, + owner @{tmp}/dhclient-script.debug rw, + owner @{tmp}/variables.txt w, @{run}/chrony-dhcp/ rw, @{run}/systemd/netif/leases/ r, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0e9d3aec..8ca83930 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -85,11 +85,11 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner /tmp/* rw, - owner /tmp/cc* rw, - owner /tmp/dkms.*/ rw, - owner /tmp/sh-thd.* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/* rw, + owner @{tmp}/cc* rw, + owner @{tmp}/dkms.*/ rw, + owner @{tmp}/sh-thd.* rw, + owner @{tmp}/tmp.* rw, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -109,7 +109,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner /boot/System.map-* r, - owner /tmp/tmp.* r, + owner @{tmp}/tmp.* r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 5fc06387..95ed3f08 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -42,7 +42,7 @@ profile dlocate @{exec_path} { /var/lib/dpkg/info/*.conffiles r, /var/lib/dpkg/info/*.md5sums r, - owner /tmp/sh-thd.* rw, + owner @{tmp}/sh-thd.* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/2 w, diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index fd0fc8e5..d2200c25 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -14,7 +14,7 @@ profile dmidecode @{exec_path} { @{exec_path} mr, - owner /tmp/dump.bin rw, + owner @{tmp}/dump.bin rw, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index 1be45ad5..af3bc6f9 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -33,7 +33,7 @@ profile downloadhelper @{exec_path} { owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r, owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google@{int}/goog-phish-proto-@{int}.vlpset rw, - owner /tmp/vdh-*.tmp rw, + owner @{tmp}/vdh-*.tmp rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index f88ff780..7013ff53 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -44,8 +44,8 @@ profile dumpcap @{exec_path} { /dev/ r, # Traffic log files - owner /tmp/wireshark_*.pcapng rw, - owner /tmp/*.pcap rw, + owner @{tmp}/wireshark_*.pcapng rw, + owner @{tmp}/*.pcap rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 5c73da5b..d76f5c1d 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -76,7 +76,7 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index e4b25735..f96fe8f3 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -57,7 +57,7 @@ profile etckeeper @{exec_path} { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner /tmp/etckeeper-git* rw, + owner @{tmp}/etckeeper-git* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index fdaf80dc..266a7566 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -52,9 +52,9 @@ profile evince @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, - owner /tmp/*.pdf r, - owner /tmp/evince-*/{,**} rw, - owner /tmp/gtkprint* rw, + owner @{tmp}/*.pdf r, + owner @{tmp}/evince-*/{,**} rw, + owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index ce85624f..6faf3009 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -15,8 +15,8 @@ profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, - owner /tmp/gnome-desktop-file-to-thumbnail.pdf r, - owner /tmp/gnome-desktop-thumbnailer.png w, + owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, + owner @{tmp}/gnome-desktop-thumbnailer.png w, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 6f331f2a..3bc1fecf 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -32,8 +32,8 @@ profile ffmpeg @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner /tmp/*.{png,jpg} rw, # To generate thumbnails in some apps - owner /tmp/vidcutter/** rw, # TMP files for apps using ffmpeg + owner @{tmp}/*.{png,jpg} rw, # To generate thumbnails in some apps + owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 29d56b63..81b60a20 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -70,7 +70,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /tmp/#@{int} rw, owner /dev/shm/flatpak*/{,**} rw, - owner /tmp/ostree-gpg-*/{,**} rw, + owner @{tmp}/ostree-gpg-*/{,**} rw, @{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, @@ -107,8 +107,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index 38941785..d82c3865 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -29,6 +29,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + / r, /.flatpak-info r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 5bf664b8..cb49cd9d 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -45,7 +45,7 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/#@{int} rw, owner /{var/,}tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, @@ -62,8 +62,8 @@ profile flatpak-system-helper @{exec_path} { @{lib}/{,gnupg/}scdaemon rix, @{bin}/gpg-agent rix, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index fa376f98..664b43b4 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -74,7 +74,7 @@ profile frontend @{exec_path} flags=(complain) { /etc/inputrc r, /etc/shadow r, - owner /tmp/file* w, + owner @{tmp}/file* w, owner /var/cache/debconf/* rwk, @{HOME}/.Xauthority r, @@ -119,7 +119,7 @@ profile frontend @{exec_path} flags=(complain) { @{run}/ r, @{run}/** rw, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, } diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 048fcbcf..361f6c7c 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -82,7 +82,7 @@ profile gajim @{exec_path} { # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/) /var/tmp/ r, /tmp/ r, - owner /tmp/* rw, + owner @{tmp}/* rw, # Silencer deny /usr/share/gajim/** w, @@ -100,8 +100,8 @@ profile gajim @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{lib}/gcc/@{multiarch}/@{int}/collect2 rix, - owner /tmp/cc* rw, - owner /tmp/tmp* rw, + owner @{tmp}/cc* rw, + owner @{tmp}/tmp* rw, /media/ccache/*/** rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index a0641dbc..58459416 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -89,21 +89,21 @@ profile git @{exec_path} { owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, - owner /tmp/** rwkl -> /tmp/**, - owner /tmp/**/bin/* rCx -> exec, + owner @{tmp}/** rwkl -> /tmp/**, + owner @{tmp}/**/bin/* rCx -> exec, owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner /tmp/git-difftool.*/ rw, # For diffs - owner /tmp/git-difftool.*/right/{,**} rw, - owner /tmp/git-difftool.*/left/{,**} rw, - owner /tmp/* rw, - owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator - owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner /tmp/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/ rw, # For diffs + owner @{tmp}/git-difftool.*/right/{,**} rw, + owner @{tmp}/git-difftool.*/left/{,**} rw, + owner @{tmp}/* rw, + owner @{tmp}/tmp*/ rw, # For TWRP-device-tree-generator + owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/git-commit-msg-.txt rw, # For android studio deny @{user_share_dirs}/gvfs-metadata/* r, deny /dev/shm/.org.chromium.Chromium* rw, @@ -119,7 +119,7 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/.git_vtag_tmp@{rand6} r, + owner @{tmp}/.git_vtag_tmp@{rand6} r, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -145,8 +145,8 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, - owner /tmp/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, - owner /tmp/ssh-*/agent.@{int} rw, + owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, + owner @{tmp}/ssh-*/agent.@{int} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 5f3fbdb0..566bd781 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -43,7 +43,7 @@ profile gpa @{exec_path} { # Files to verify owner /**.tar.gz r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, # External apps @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 04cb2849..ede60499 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -72,7 +72,7 @@ profile gpartedbin @{exec_path} { @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, - owner /tmp/gparted-*/ rw, + owner @{tmp}/gparted-*/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 79ec2587..625632e7 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -11,14 +11,10 @@ include profile groups @{exec_path} { include include + include @{exec_path} mr, - /etc/group r, - /etc/nsswitch.conf r, - - @{run}/systemd/userdb r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index 6a1a8dd5..917332e3 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -14,13 +14,9 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/icons/** r, - /usr/share/icons/**/.icon-theme.cache rw, - /usr/share/icons/**/icon-theme.cache rw, - - /var/lib/flatpak/exports/share/icons/{,**/} r, - /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw, - /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w, + @{system_share_dirs}/icons/{,**/} r, + @{system_share_dirs}/icons/**/.icon-theme.cache rw, + @{system_share_dirs}/icons/**/icon-theme.cache w, owner @{user_share_dirs}/** r, owner @{user_share_dirs}/**/.icon-theme.cache rw, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 807c703d..8e727c75 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -109,7 +109,7 @@ profile hardinfo @{exec_path} { owner @{HOME}/.hardinfo/ rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, @@ -154,8 +154,8 @@ profile hardinfo @{exec_path} { @{sys}/fs/cgroup/{,**} r, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, } diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 78fc78f9..b3222265 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -37,8 +37,8 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, - owner /tmp/hugo_cache/{,**} rwkl, - owner /tmp/go-codehost-@{int} rw, + owner @{tmp}/hugo_cache/{,**} rwkl, + owner @{tmp}/go-codehost-@{int} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2aa80f90..8c179e0d 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -91,8 +91,8 @@ profile hw-probe @{exec_path} { owner /root/HW_PROBE/{,**} rw, - owner /tmp/*/ rw, - owner /tmp/*/cpu_perf rw, + owner @{tmp}/*/ rw, + owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 599f8939..277ce6e7 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -71,7 +71,7 @@ profile hwinfo @{exec_path} { /var/lib/hardware/udi/ r, # For a log file - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, profile kmod { @@ -85,7 +85,7 @@ profile hwinfo @{exec_path} { # file_inherit /dev/ttyS@{int} r, - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, } @@ -107,7 +107,7 @@ profile hwinfo @{exec_path} { @{run}/udev/data/* r, # file_inherit - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, } diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index a594c62c..4d3600a7 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -29,7 +29,7 @@ profile i3lock @{exec_path} { owner @{HOME}/*/*.png r, # When using also i3lock-fancy. - owner /tmp/tmp.*.png r, + owner @{tmp}/tmp.*.png r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 1fdb6433..f0e0f35f 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -36,9 +36,9 @@ profile i3lock-fancy @{exec_path} { /usr/share/i3lock-fancy/{,*} r, - owner /tmp/tmp.*.png rw, - owner /tmp/tmp.* rw, - owner /tmp/sh-thd.* rw, + owner @{tmp}/tmp.*.png rw, + owner @{tmp}/tmp.* rw, + owner @{tmp}/sh-thd.* rw, # file_inherit owner /dev/tty@{int} rw, @@ -62,7 +62,7 @@ profile i3lock-fancy @{exec_path} { # For gray scale (doesn't seem to be required). It produces files like /home/*/PIHFhJ . deny owner @{HOME}/* rw, - owner /tmp/tmp.*.png rw, + owner @{tmp}/tmp.*.png rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index fa98950e..e65add8e 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -61,16 +61,16 @@ profile jdownloader @{exec_path} { owner @{HOME}/.install4j rw, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead - owner /tmp/SevenZipJBinding-*/ rw, - owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, + owner @{tmp}/SevenZipJBinding-*/ rw, + owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, # For auto updates - owner /tmp/lastChanceSrc@{int}lch rw, - owner /tmp/lastChanceDst@{int}.jar rw, - owner /tmp/i4j_log_jd2_@{int}.log rw, - owner /tmp/install4jError@{int}.log rw, + owner @{tmp}/lastChanceSrc@{int}lch rw, + owner @{tmp}/lastChanceDst@{int}.jar rw, + owner @{tmp}/i4j_log_jd2_@{int}.log rw, + owner @{tmp}/install4jError@{int}.log rw, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 68330c96..a90c7de8 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -18,8 +18,8 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - owner /tmp/tmp* rw, - owner /tmp/#@{int} rw, + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, # Mount points owner @{HOME}/*/ r, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index cf6503be..b9f22923 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -101,6 +101,7 @@ profile kanyremote @{exec_path} { /usr/share/anyremote/{,**} r, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index f07cc0ad..aeb155df 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -42,8 +42,6 @@ profile keepassxc @{exec_path} { /usr/share/keepassxc/{,**} r, /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, owner @{HOME}/ r, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, @@ -68,14 +66,14 @@ profile keepassxc @{exec_path} { owner @{user_share_dirs}/keepassxc/ rw, owner @{user_share_dirs}/keepassxc/* rwkl -> @{user_share_dirs}/keepassxc/#@{int}, - owner /tmp/.[a-zA-Z]*/{,s} rw, - owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int}, - owner /tmp/*.*.settings rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/keepassxc-*.lock{,.rmlock} rwk, - owner /tmp/keepassxc-*.socket rw, - owner /tmp/keepassxc.lock rw, - owner /tmp/keepassxc.socket rw, + owner @{tmp}/.[a-zA-Z]*/{,s} rw, + owner @{tmp}/*.*.gpgkey rwl -> /tmp/#@{int}, + owner @{tmp}/*.*.settings rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/keepassxc-*.lock{,.rmlock} rwk, + owner @{tmp}/keepassxc-*.socket rw, + owner @{tmp}/keepassxc.lock rw, + owner @{tmp}/keepassxc.socket rw, owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index ca70784b..e7e8cc8f 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -33,7 +33,7 @@ profile kernel-install @{exec_path} { /etc/kernel/install.d/ r, /etc/kernel/install.d/*.install rix, - owner /tmp/sh-thd.* rw, + owner @{tmp}/sh-thd.* rw, owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5872ac5d..0ae2ba62 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -47,11 +47,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/dracut.*/{,**} rw, owner /boot/System.map-* r, - owner /tmp/mkinitcpio.*/{,**} rw, + owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build - owner /tmp/depmod.*/lib/modules/*/ r, - owner /tmp/depmod.*/lib/modules/*/modules.* rw, + owner @{tmp}/depmod.*/lib/modules/*/ r, + owner @{tmp}/depmod.*/lib/modules/*/modules.* rw, owner @{user_build_dirs}/**/System.map r, owner @{user_build_dirs}/**/lib/modules/*/ r, owner @{user_build_dirs}/**/lib/modules/*/modules.* rw, diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index 047faa5a..384fda9e 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -62,8 +62,8 @@ profile linssid @{exec_path} { owner @{PROC}/@{pid}/net/wireless r, owner @{PROC}/@{pid}/cmdline r, - owner /tmp/runtime-root/ rw, - owner /tmp/linssid_* rw, + owner @{tmp}/runtime-root/ rw, + owner @{tmp}/linssid_* rw, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -88,7 +88,7 @@ profile linssid @{exec_path} { # file_inherit owner @{HOME}/.linssid.prefs rw, owner @{HOME}/LinSSID.datalog rw, - owner /tmp/linssid_* rw, + owner @{tmp}/linssid_* rw, owner /dev/dri/card@{int} rw, } diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 5640cb43..a6fd4d8e 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -38,7 +38,7 @@ profile linux-check-removal @{exec_path} flags=(complain) { # The following is needed when debconf uses dialog/whiptail frontend. @{bin}/whiptail rPx, - owner /tmp/file* w, + owner @{tmp}/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 6026b822..a9b3691d 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -30,8 +30,8 @@ profile lynx @{exec_path} { @{sh_path} rix, /etc/mailcap r, - owner /tmp/lynxXXXX*/ rw, - owner /tmp/lynxXXXX*/*TMP.html{,.gz} rw, + owner @{tmp}/lynxXXXX*/ rw, + owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, owner @{HOME}/ r, diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index e2f048bd..c85b5e1d 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -80,7 +80,7 @@ profile man_groff { /etc/papersize r, /tmp/groff* rw, - owner /tmp/* rw, + owner @{tmp}/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 35754db8..8f30c0c8 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -11,19 +11,14 @@ include profile megasync @{exec_path} { include include - include - include - include - include + include include - include - include + include include - include include include - include include + include network inet dgram, network inet6 dgram, @@ -40,71 +35,29 @@ profile megasync @{exec_path} { @{bin}/xrdb rPx, @{bin}/xdg-mime rPx, - @{bin}/xdg-open rCx -> open, - - # Megasync home files - owner @{HOME}/ r, - owner "@{user_share_dirs}/data/Mega Limited/" rw, - owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}", - - owner @{user_config_dirs}/QtProject.conf r, - - # Sync folder - owner @{user_sync_dirs}/ r, - owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, - - # Proc filesystem - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - /etc/fstab r, - - # Autostart - owner @{user_config_dirs}/autostart/#@{int} rw, - owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int}, - - /dev/shm/#@{int} rw, + @{open_path} rPx -> child-open, /etc/machine-id r, /var/lib/dbus/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{HOME}/ r, - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/spacefm rPx, + owner @{user_config_dirs}/autostart/#@{int} rw, + owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int}, - # file_inherit + owner "@{user_share_dirs}/data/Mega Limited/" rw, + owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}", + + owner @{user_sync_dirs}/ r, + owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/spacefm rPx, - - # file_inherit - owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw, - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index 52bceb44..6cd06a01 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -49,8 +49,8 @@ profile merkaartor @{exec_path} { deny owner @{PROC}/@{pid}/cmdline r, - owner /tmp/qtsingleapp-merkaa-* rw, - owner /tmp/qtsingleapp-merkaa-*-lockfile rwk, + owner @{tmp}/qtsingleapp-merkaa-* rw, + owner @{tmp}/qtsingleapp-merkaa-*-lockfile rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 1c6bc72a..e8e07ef4 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -10,18 +10,14 @@ include @{exec_path} = @{bin}/minitube profile minitube @{exec_path} { include - include - include - include - include - include - include - include include + include + include + include + include include - include - include include + include include include @@ -34,84 +30,47 @@ profile minitube @{exec_path} { @{exec_path} mr, - # Minitube home files + # Be able to turn off the screensaver while playing movies + @{bin}/xdg-screensaver rCx -> xdg-screensaver, + + @{open_path} rPx -> child-open, + + /usr/share/minitube/{,**} r, + + /etc/vdpau_wrapper.cfg r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/vlcsnap-.png rw, + + owner "@{user_cache_dirs}/Flavio Tordini/" rw, + owner "@{user_cache_dirs}/Flavio Tordini/Minitube/" rw, + owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**", + owner "@{user_config_dirs}/Flavio Tordini/" rw, owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#@{int}", owner "@{user_share_dirs}/Flavio Tordini/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, - # Snapshot owner @{user_pictures_dirs}/*.png rw, - owner @{HOME}/vlcsnap-.png rw, - /usr/share/minitube/{,**} r, + owner @{tmp}/qtsingleapp-minitu-* rw, + owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - # owner /tmp/#@{int} mrw, - # owner /tmp/.glvnd* mrw, + # owner @{tmp}/#@{int} mrw, + # owner @{tmp}/.glvnd* mrw, - # Cache - owner @{user_cache_dirs}/ rw, - owner "@{user_cache_dirs}/Flavio Tordini/" rw, - owner "@{user_cache_dirs}/Flavio Tordini/Minitube/" rw, - owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**", + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, - deny /dev/ r, - /dev/shm/#@{int} rw, - - /etc/vdpau_wrapper.cfg r, - - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/core_pattern r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - # TMP - owner /tmp/qtsingleapp-minitu-* rw, - owner /tmp/qtsingleapp-minitu-*-lockfile rwk, - - @{bin}/xdg-open rCx -> open, - - # Be able to turn off the screensaver while playing movies - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - profile xdg-screensaver { include include @@ -133,6 +92,8 @@ profile minitube @{exec_path} { /dev/dri/card@{int} rw, network inet stream, network inet6 stream, + + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 61538790..7350d7b7 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -19,8 +19,8 @@ profile mkvmerge @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner /tmp/MKVToolNix-process-*.json r, - owner /tmp/MKVToolNix-GUI-MuxJob-*.json r, + owner @{tmp}/MKVToolNix-process-*.json r, + owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json r, # file_inherit /dev/dri/card@{int} rw, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index ee2c4155..63a978ba 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -50,11 +50,11 @@ profile mkvtoolnix-gui @{exec_path} { owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw, owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw, - owner /tmp/#@{int} rw, - owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-process-*.json rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-GUI-Instance-Communicator-* rw, owner /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index c7057aa4..9e84ee50 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -33,8 +33,8 @@ profile modprobed-db @{exec_path} { owner @{user_config_dirs}/modprobed-db.conf r, owner @{user_config_dirs}/modprobed.db rw, - owner /tmp/.inmem rw, - owner /tmp/.potential_new_db rw, + owner @{tmp}/.inmem rw, + owner @{tmp}/.potential_new_db rw, @{PROC}/modules r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 09ae2bcf..72891c7b 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -36,8 +36,8 @@ profile mono-sgen @{exec_path} { owner @{user_config_dirs}/openra/{,**} rw, owner @{user_config_dirs}/.mono/{,**} r, - owner /tmp/*.* rw, - owner /tmp/CASESENSITIVETEST* rw, + owner @{tmp}/*.* rw, + owner @{tmp}/CASESENSITIVETEST* rw, owner /dev/shm/mono.* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index a4aaf531..71f1e4cf 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -52,9 +52,9 @@ profile mpsyt @{exec_path} { owner @{PROC}/@{pid}/mounts r, /tmp/ r, - owner /tmp/[a-z0-9]* rw, - owner /tmp/mpsyt-input* rw, - owner /tmp/mpsyt-mpv*.sock rw, + owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/mpsyt-input* rw, + owner @{tmp}/mpsyt-mpv*.sock rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 8f667bb2..058135e8 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -53,11 +53,11 @@ profile mpv @{exec_path} { owner @{user_config_dirs}/mpv/{,**} rw, /tmp/ r, - owner /tmp/mpsyt-input* rw, - owner /tmp/mpsyt-mpv*.sock rw, - owner /tmp/smplayer-mpv-* rw, - owner /tmp/smplayer_preview/@{int}.{jpg,png} w, - owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w, + owner @{tmp}/mpsyt-input* rw, + owner @{tmp}/mpsyt-mpv*.sock rw, + owner @{tmp}/smplayer-mpv-* rw, + owner @{tmp}/smplayer_preview/@{int}.{jpg,png} w, + owner @{tmp}/smplayer_screenshots/cap_*.{jpg,png} w, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 8366426b..4a40f418 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -31,8 +31,8 @@ profile nmap @{exec_path} { /usr/share/nmap/** r, - owner /tmp/zenmap-stdout-* rw, - owner /tmp/zenmap-*.xml rw, + owner @{tmp}/zenmap-stdout-* rw, + owner @{tmp}/zenmap-*.xml rw, owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/if_inet6 r, diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt index 7402c6e4..4a9e437b 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -17,7 +17,7 @@ profile ntfsdecrypt @{exec_path} { @{exec_path} mr, # Common locations of the key - owner /tmp/*.key r, + owner @{tmp}/*.key r, owner @{HOME}/*.key r, include if exists diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete index c1db1526..5b066d3f 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -19,8 +19,8 @@ profile ntfsundelete @{exec_path} { owner @{PROC}/@{pid}/mounts r, # The recovery dir - owner /tmp/ntfs-recovery/ r, - owner /tmp/ntfs-recovery/* rw, + owner @{tmp}/ntfs-recovery/ r, + owner @{tmp}/ntfs-recovery/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap index b5ff0b05..056207cc 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -21,7 +21,7 @@ profile ntfsusermap @{exec_path} { # Where to save the UserMapping file owner /root/UserMapping w, - owner /tmp/UserMapping w, + owner @{tmp}/UserMapping w, include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index c0bb8b6a..5333bc94 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -61,7 +61,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { /boot/{efi/,}EFI/ r, /boot/{efi/,}EFI/*/ r, - owner /tmp/os-prober.*/{,**} rw, + owner @{tmp}/os-prober.*/{,**} rw, @{sys}/block/ r, @{sys}/devices/@{pci}/block/*/ r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b769ecbb..972d4526 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -89,9 +89,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/*.changelog rw, - owner /tmp/alpm_*/{,**} rw, - owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, - owner /tmp/packagekit* rw, + owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, + owner @{tmp}/packagekit* rw, @{run}/systemd/inhibit/*.ref rw, owner @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 436cdc71..5ca95200 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -15,8 +15,8 @@ profile pam-tmpdir-helper @{exec_path} { @{exec_path} mr, - owner /tmp/user/ rw, - owner /tmp/user/@{uid}/ rw, + owner @{tmp}/user/ rw, + owner @{tmp}/ rw, /dev/ptmx rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 4e19b6ad..342fe1b5 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -124,7 +124,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw, include if exists @@ -146,7 +146,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.*/{,*} rw, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index f14cf3a1..d2ad4fd9 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -33,7 +33,7 @@ profile pass-import @{exec_path} { owner @{user_password_store_dirs}/{,**} rw, - owner /tmp/[a-zA-Z0-9]* rw, + owner @{tmp}/[a-zA-Z0-9]* rw, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 2109f7f8..2ead4d03 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -29,6 +29,8 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /var/lib/passim/{,**} r, /var/lib/passim/data/{,**} rw, + owner /var/log/passim/* rw, + @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index eecb1364..ae157744 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -38,7 +38,7 @@ profile pinentry-qt @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 19d335ea..3ca20d32 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -13,6 +13,7 @@ profile pkcs11-register @{exec_path} { @{exec_path} mr, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -21,4 +22,4 @@ profile pkcs11-register @{exec_path} { owner @{HOME}/.thunderbird/profiles.ini r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index 82617fc6..21a27e43 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/plocate profile plocate @{exec_path} { include + include # For running as root capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 5035c872..702ccbcd 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -45,7 +45,7 @@ profile popularity-contest @{exec_path} { /var/log/popularity-contest.[0-9]* w, /var/log/popularity-contest.new w, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 7e21a206..84ae5b1b 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -11,21 +11,16 @@ include profile psi @{exec_path} { include include - include + include include include - include - include - include - include + include include - include include include include include include - include network inet dgram, network inet6 dgram, @@ -38,12 +33,11 @@ profile psi @{exec_path} { @{exec_path} mr, @{bin}/aplay rCx -> aplay, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, - /usr/share/hwdata/pnp.ids r, /usr/share/psi/{,**} r, /etc/debian_version r, @@ -51,8 +45,6 @@ profile psi @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner /var/tmp/etilqs_@{hex} rw, - owner @{HOME}/ r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, @@ -63,19 +55,18 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/ rw, owner @{user_share_dirs}/psi/** rwk, - owner /tmp/#@{int} rw, - owner /tmp/Psi.* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /dev/shm/#@{int} rw, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, profile aplay { @@ -95,42 +86,7 @@ profile psi @{exec_path} { # file_inherit /dev/dri/card@{int} rw, - } - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/.gnupg/ rw, - owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, - - # file_inherit - /dev/dri/card@{int} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index d28dc19c..e1f78a45 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -11,21 +11,16 @@ include profile psi-plus @{exec_path} { include include - include + include include include - include - include - include - include + include include - include include include include include include - include network inet dgram, network inet6 dgram, @@ -38,12 +33,11 @@ profile psi-plus @{exec_path} { @{exec_path} mr, @{bin}/aplay rCx -> aplay, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, - /usr/share/hwdata/pnp.ids r, /usr/share/psi-plus/{,**} r, /etc/debian_version r, @@ -61,20 +55,18 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/ rw, owner @{user_share_dirs}/psi+/** rwk, - owner /tmp/#@{int} rw, - owner /tmp/Psi+.* rwl -> /tmp/#@{int}, - owner /var/tmp/etilqs_@{hex} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /dev/shm/#@{int} rw, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, profile aplay { @@ -94,42 +86,7 @@ profile psi-plus @{exec_path} { # file_inherit /dev/dri/card@{int} rw, - } - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - # file_inherit - /dev/dri/card@{int} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index f8160340..e1eb03dd 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -100,16 +100,14 @@ profile qbittorrent @{exec_path} { owner @{user_torrents_dirs}/** rw, owner /dev/shm/#@{int} rw, - owner /tmp/.*/{,s} rw, - owner /tmp/.qBittorrent/ rw, - owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner /tmp/*.torrent rw, - owner /tmp/mozilla_*/*.torrent rw, - owner /tmp/qtsingleapp-qBitto-* rw, - owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, - owner /tmp/tmp* rw, - owner /tmp/user/@{uid}/.qBittorrent/ rw, - owner /tmp/user/@{uid}/.qBittorrent/** rw, + owner @{tmp}/.*/{,s} rw, + owner @{tmp}/.qBittorrent/ rw, + owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, + owner @{tmp}/*.torrent rw, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + owner @{tmp}/tmp* rw, owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, @@ -142,8 +140,8 @@ profile qbittorrent @{exec_path} { owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int}, # unconventional '_' tail owner /dev/shm/* rw, - owner /tmp/@{int} rw, - owner /tmp/tmp* rw, + owner @{tmp}/@{int} rw, + owner @{tmp}/tmp* rw, deny /dev/dri/card@{int} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 7d820645..cc8edfd6 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include + include include include @@ -22,48 +23,37 @@ profile qbittorrent-nox @{exec_path} { @{exec_path} mr, - # Qbittorrent home dirs - owner @{user_config_dirs}/qBittorrent/ rw, - owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, - owner @{user_share_dirs}/qBittorrent/ rw, - owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int}, - # Old dir, not recommended to use: - deny owner @{user_share_dirs}/data/qBittorrent/ rw, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, - # Cache dir owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, - # Torrent files - owner @{user_torrents_dirs}/ r, - owner @{user_torrents_dirs}/** rw, + owner @{user_config_dirs}/qBittorrent/ rw, + owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, + owner @{user_share_dirs}/qBittorrent/ rw, + owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int}, + + owner @{tmp}/.*/{,s} rw, + owner @{tmp}/.qBittorrent/ rw, + owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, + owner @{tmp}/*.torrent rw, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/disk/by-label/ r, - /dev/shm/#@{int} rw, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/mime/mime.cache r, - /usr/share/mime/types r, - owner @{user_share_dirs}/mime/mime.cache r, - owner @{user_share_dirs}/mime/types r, - - # TMP - owner /tmp/qtsingleapp-qBitto-* rw, - owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, - owner /tmp/.qBittorrent/ rw, - owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner /tmp/mozilla_*/*.torrent rw, - owner /tmp/*.torrent rw, - owner /tmp/.*/{,s} rw, + + deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 8905cd5d..712750a3 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -10,18 +10,13 @@ include @{exec_path} = @{bin}/qnapi profile qnapi @{exec_path} { include - include + include include - include - include - include - include + include include - include include include include - include network inet dgram, network inet6 dgram, @@ -39,12 +34,10 @@ profile qnapi @{exec_path} { @{bin}/7z rix, @{lib}/p7zip/7z rix, - @{bin}/ffprobe rPx, - @{bin}/xdg-open rCx -> open, + @{bin}/ffprobe rPx, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPx, - /usr/share/hwdata/pnp.ids r, - /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -60,50 +53,24 @@ profile qnapi @{exec_path} { owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{int}, - owner @{user_cache_dirs}/ rw, - /tmp/ r, - owner /tmp/@{hex}.* rw, - owner /tmp/** rw, - owner /tmp/#@{int} rw, - owner /tmp/QNapi-*-rc wl -> /tmp/#@{int}, - owner /tmp/QNapi-*-rc.lock rwk, - owner /tmp/QNapi.@{int}.tmp rw, - owner /tmp/QNapi.@{int}.tmp.* rw, - owner /tmp/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, - owner /tmp/QNapi.@{int} rw, + owner @{tmp}/@{hex}.* rw, + owner @{tmp}/** rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, + owner @{tmp}/QNapi-*-rc.lock rwk, + owner @{tmp}/QNapi.@{int}.tmp rw, + owner @{tmp}/QNapi.@{int}.tmp.* rw, + owner @{tmp}/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, + owner @{tmp}/QNapi.@{int} rw, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner /dev/shm/#@{int} rw, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner /dev/tty@{int} rw, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 28ec6f84..2ced9351 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -10,19 +10,14 @@ include @{exec_path} = @{bin}/qpdfview profile qpdfview @{exec_path} { include - include + include include - include - include - include - include + include include - include include include include include - include @{exec_path} mr, @@ -34,7 +29,6 @@ profile qpdfview @{exec_path} { @{lib}/firefox/firefox rPUx, @{open_path} rPx -> child-open, - /usr/share/hwdata/pnp.ids r, /usr/share/poppler/** r, /usr/share/djvu/** r, @@ -56,14 +50,14 @@ profile qpdfview @{exec_path} { owner @{user_share_dirs}/qpdfview/** rwk, owner /dev/shm/#@{int} rw, - owner /tmp/@{hex} rw, - owner /tmp/#@{int} rw, - owner /tmp/qpdfview.*.pdf rwl -> /tmp/#@{int}, + owner @{tmp}/@{hex} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/qpdfview.*.pdf rwl -> /tmp/#@{int}, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index f17f2a83..3d4d73bb 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -10,19 +10,17 @@ include @{exec_path} = @{bin}/qt5ct profile qt5ct @{exec_path} { include - include - include - include + include include - include - include - include - include - include + include include + include @{exec_path} mr, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/qt5ct/ rw, owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#@{int}, @@ -35,19 +33,8 @@ profile qt5ct @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - /usr/share/qt5ct/** r, - - /usr/share/xsessions/{,*.desktop} r, - + @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, - @{PROC}//sys/kernel/random/boot_id r, - - /etc/X11/cursors/*.theme r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /usr/share/hwdata/pnp.ids r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 8b243e8f..a6013640 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -52,7 +52,7 @@ profile qtox @{exec_path} { owner @{PROC}/@{pid}/cmdline r, @{PROC}/sys/kernel/core_pattern r, # for KCrash::initialize() - owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, /dev/ r, /dev/video@{int} rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index c1d7944c..a0463bb9 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -61,8 +61,8 @@ profile quiterss @{exec_path} { /dev/shm/#@{int} rw, - owner /tmp/qtsingleapp-quiter-@{int}-@{int} rw, - owner /tmp/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, owner /var/tmp/etilqs_@{hex} rw, # Allowed apps to open diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 38a3c0f6..56f1152e 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -50,8 +50,8 @@ profile repo @{exec_path} { /usr/share/git-core/{,**} r, - owner /tmp/.git_vtag_tmp@{rand6} rw, - owner /tmp/ssh-*/ rw, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, + owner @{tmp}/ssh-*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -80,7 +80,7 @@ profile repo @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, - owner /tmp/.git_vtag_tmp@{rand6} r, + owner @{tmp}/.git_vtag_tmp@{rand6} r, } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 00820b5a..b929f1a7 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -25,6 +25,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 4cd81889..726f6f64 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -135,9 +135,9 @@ profile run-parts @{exec_path} { /usr/share/landscape/landscape-sysinfo.wrapper rPUx, - owner /tmp/#@{int} rw, - owner /tmp/$anacron* rw, - owner /tmp/file@{rand6} ra, + owner @{tmp}/#@{int} rw, + owner @{tmp}/$anacron* rw, + owner @{tmp}/file@{rand6} ra, owner @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 7d3b1ae4..590ed971 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -45,7 +45,7 @@ profile runuser @{exec_path} { /etc/default/runuser r, # file_inherit - owner /tmp/debian-security-support.postinst.*/output w, + owner @{tmp}/debian-security-support.postinst.*/output w, include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index b82576a1..50e5ae8c 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -41,7 +41,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{user_share_dirs}/YACReader/YACReaderLibrary/ rw, owner @{user_share_dirs}/YACReader/YACReaderLibrary/** rwlk, - owner /tmp/@{uuid} w, + owner @{tmp}/@{uuid} w, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index 721a1b46..1bc9288d 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -32,7 +32,7 @@ profile s3fs @{exec_path} { owner @{MOUNTS}/ r, owner @{MOUNTS}/*/ r, - owner /tmp/* rw, + owner @{tmp}/* rw, /dev/fuse rw, @@ -59,7 +59,7 @@ profile s3fs @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/*/ r, - owner /tmp/s3fstmp.* rw, + owner @{tmp}/s3fstmp.* rw, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index 0be658dd..f0b8426c 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -27,7 +27,7 @@ profile sanoid @{exec_path} flags=(complain) { @{run}/sanoid/sanoid_cacheupdate.lock rwk, @{run}/sanoid/sanoid_pruning.lock rwk, - owner /tmp/** rw, + owner @{tmp}/** rw, include if exists } diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index e2fd09d1..f423775f 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/scrot profile scrot @{exec_path} { include + include include @{exec_path} mr, @@ -21,16 +22,10 @@ profile scrot @{exec_path} { # The image dir owner @{HOME}/*.png rw, - owner @{HOME}/.Xauthority r, - - /dev/shm/#@{int} rw, - - owner @{HOME}/.icons/default/index.theme r, - /usr/share/icons/*/index.theme r, - /usr/share/icons/*/cursors/* r, - # file_inherit owner @{HOME}/.xsession-errors w, + /dev/shm/#@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool new file mode 100644 index 00000000..4ae50fbb --- /dev/null +++ b/apparmor.d/profiles-s-z/smbspool @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/smbspool +profile smbspool @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 6b785ebe..3751c4ab 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -64,11 +64,11 @@ profile smplayer @{exec_path} { owner @{user_cache_dirs}/#@{int} rw, - owner /tmp/qtsingleapp-smplay-* rw, - owner /tmp/qtsingleapp-smplay-*-lockfile rwk, - owner /tmp/smplayer_preview/ rw, - owner /tmp/smplayer_preview/@{int}.{jpg,png} rw, - owner /tmp/smplayer-mpv-* w, + owner @{tmp}/qtsingleapp-smplay-* rw, + owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk, + owner @{tmp}/smplayer_preview/ rw, + owner @{tmp}/smplayer_preview/@{int}.{jpg,png} rw, + owner @{tmp}/smplayer-mpv-* w, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 6eb60c47..3d71ce76 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -31,19 +31,7 @@ profile snap @{exec_path} { #aa:dbus own bus=session name=io.snapcraft.Launcher #aa:dbus own bus=session name=io.snapcraft.Settings - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=:*, label="@{p_systemd}"), - dbus receive bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=:*, label="@{p_systemd_user}"), + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents @@ -71,7 +59,7 @@ profile snap @{exec_path} { @{HOME}/snap/{,**} rw, /snap/{,**} rw, - owner /tmp/snapd-auto-import-mount-@{int}/ rw, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 8d6a4a49..328eab74 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -39,7 +39,7 @@ profile snap-update-ns @{exec_path} { owner /var/snap/ rw, owner /var/snap/**/ rw, - owner /tmp/.snap/{,**} rwk, + owner @{tmp}/.snap/{,**} rwk, @{run}/snapd/lock/*.lock rwk, @{run}/snapd/ns/{,**} rw, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index dc1f4d95..94fa14f0 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -73,17 +73,17 @@ profile spectre-meltdown-checker @{exec_path} { # To fetch MCE.db from the MCExtractor project @{bin}/wget rCx -> mcedb, @{bin}/sqlite3 rCx -> mcedb, - owner /tmp/mcedb-* rw, - owner /tmp/smc-* rw, - owner /tmp/{,smc-}intelfw-*/ rw, - owner /tmp/{,smc-}intelfw-*/fw.zip rw, - owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, + owner @{tmp}/mcedb-* rw, + owner @{tmp}/smc-* rw, + owner @{tmp}/{,smc-}intelfw-*/ rw, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/{config,kernel}-* rw, + owner @{tmp}/{config,kernel}-* rw, owner /dev/cpu/@{int}/cpuid r, owner /dev/cpu/@{int}/msr rw, @@ -166,8 +166,8 @@ profile spectre-meltdown-checker @{exec_path} { owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/{,smc-}mcedb-* rwk, - owner /tmp/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}mcedb-* rwk, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, /usr/share/publicsuffix/public_suffix_list.* r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index fef063b8..5da32107 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -19,12 +19,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include + include include - include - include + include include - include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 99d7ae84..99d05d28 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -24,7 +24,7 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner /tmp/*.ss rw, + owner @{tmp}/*.ss rw, owner @{HOME}/*.ss rw, @{PROC} r, diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index a0e1764b..9471ab0a 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -13,8 +13,8 @@ profile ssurl @{exec_path} { include include - capability dac_read_search, - deny capability dac_override, + capability dac_read_search, + capability dac_override, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 8bb4cd73..9a51396c 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -40,7 +40,7 @@ profile startx @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xserverrc r, /tmp/ r, - owner /tmp/serverauth.* rw, + owner @{tmp}/serverauth.* rw, /dev/ r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 429aca59..d370dbb2 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -139,13 +139,13 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /tmp/dumps/ rw, - owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, - owner /tmp/miles_image_* mrw, - owner /tmp/runtime-info.txt.* rwk, - owner /tmp/sh-thd.* rw, - owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner @{tmp}/dumps/ rw, + owner @{tmp}/dumps/{assert,crash}_@{int}_@{int}.dmp rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/miles_image_* mrw, + owner @{tmp}/runtime-info.txt.* rwk, + owner @{tmp}/sh-thd.* rw, + owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index d011c16c..e476bc26 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -161,10 +161,10 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/wine-*-fsync rw, - owner /tmp/.wine-@{uid}/server-*/* rwk, - owner /tmp/** rw, - owner /tmp/miles_image_* mr, - owner /tmp/pressure-vessel-*/{,**} rwl, + owner @{tmp}/.wine-@{uid}/server-*/* rwk, + owner @{tmp}/** rw, + owner @{tmp}/miles_image_* mr, + owner @{tmp}/pressure-vessel-*/{,**} rwl, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index fac7818f..44100175 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -45,9 +45,9 @@ profile steam-gameoverlayui @{exec_path} { owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /tmp/gameoverlayui.log* rw, - owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, - owner /tmp/miles_image_* mrw, + owner @{tmp}/gameoverlayui.log* rw, + owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, + owner @{tmp}/miles_image_* mrw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index a36d59d2..efb32611 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -10,22 +10,18 @@ include @{exec_path} = @{bin}/strawberry profile strawberry @{exec_path} { include - include - include - include - include - include - include - include - include include - include + include + include + include + include + include + include + include include include - include include - include - include + include signal (send) set=(term, kill) peer=strawberry-tagreader, @@ -42,88 +38,45 @@ profile strawberry @{exec_path} { @{bin}/strawberry-tagreader rPx, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open-help, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/ r, - # Media library owner @{user_music_dirs}/ r, owner @{user_music_dirs}/** rw, - # Playlists - owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, - owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw, - - owner @{HOME}/ r, owner @{user_config_dirs}/strawberry/ rw, owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/strawberry/ rw, owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#@{int}, owner @{user_cache_dirs}/xine-lib/ rw, owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/sys/kernel/random/boot_id r, + owner @{tmp}/.*/ rw, + owner @{tmp}/.*/s rw, + owner @{tmp}/*= w, + owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, + owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, + owner @{tmp}/strawberry*[0-9] w, + owner /dev/shm/#@{int} rw, @{run}/mount/utab r, - /etc/fstab r, - - /dev/shm/#@{int} rw, - /dev/sr[0-9]* r, - - owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, - owner /tmp/.*/ rw, - owner /tmp/.*/s rw, - owner /tmp/strawberry*[0-9] w, - owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/*= w, - - owner /var/tmp/etilqs_@{hex} rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.anyRemote/anyremote.stdout w, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 4d92f30b..e3c2f1d4 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -14,6 +14,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { include capability chown, + capability fowner, capability mknod, capability sys_ptrace, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index bb516789..18aafae6 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner /tmp/swtpm_setup.certs.*/ w, - owner /tmp/swtpm_setup.certs.*/*.cert rw, - owner /tmp/.swtpm_setup.pidfile* rw, + owner @{tmp}/swtpm_setup.certs.*/ w, + owner @{tmp}/swtpm_setup.certs.*/*.cert rw, + owner @{tmp}/.swtpm_setup.pidfile* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync new file mode 100644 index 00000000..3211a2b5 --- /dev/null +++ b/apparmor.d/profiles-s-z/sync @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/sync +profile sync @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index c04232d8..36a5c985 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,7 +25,7 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - owner /tmp/** rw, + owner @{tmp}/** rw, @{PROC}/@{pids}/maps r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index f6f5025a..fb3c6077 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -46,7 +46,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner /tmp/* rw, + owner @{tmp}/* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 24cc65c1..94bba6ce 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -38,7 +38,7 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/debconf/confmodule r, - owner /tmp/file* w, + owner @{tmp}/file* w, profile tasksel-tests flags=(complain) { @@ -66,7 +66,7 @@ profile tasksel @{exec_path} flags=(complain) { # The following is needed when debconf uses dialog/whiptail frontend. @{bin}/whiptail rPx, - owner /tmp/file* w, + owner @{tmp}/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 86b064de..c63a5657 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -36,7 +36,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/terminator/{,**} rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pid}/net/tcp{,6} r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 04e67287..d27f84aa 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -126,14 +126,14 @@ profile thunderbird @{exec_path} { /tmp/ r, /var/tmp/ r, - owner /tmp/@{name}{,_*}/ rw, - owner /tmp/@{name}{,_*}/* rwk, - owner /tmp/* rw, - owner /tmp/mozilla_*/ rw, - owner /tmp/mozilla_*/* rw, - owner /tmp/MozillaMailnews/ rw, - owner /tmp/MozillaMailnews/*.msf rw, - owner /tmp/Temp-@{uuid}/ rw, + owner @{tmp}/@{name}{,_*}/ rw, + owner @{tmp}/@{name}{,_*}/* rwk, + owner @{tmp}/* rw, + owner @{tmp}/mozilla_*/ rw, + owner @{tmp}/mozilla_*/* rw, + owner @{tmp}/MozillaMailnews/ rw, + owner @{tmp}/MozillaMailnews/*.msf rw, + owner @{tmp}/Temp-@{uuid}/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index c36601b9..b69db491 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -21,7 +21,7 @@ profile thunderbird-glxtest @{exec_path} { owner @{config_dirs}/*/.parentlock rw, - owner /tmp/thunderbird/.parentlock rw, + owner @{tmp}/thunderbird/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index d5050b01..345b7a6f 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -20,7 +20,7 @@ profile thunderbird-vaapitest @{exec_path} { @{exec_path} mr, - owner /tmp/thunderbird/.parentlock rw, + owner @{tmp}/thunderbird/.parentlock rw, deny @{cache_dirs}/*/startupCache/** r, deny @{config_dirs}/*/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 889014b1..e098f55e 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -43,7 +43,7 @@ profile tint2 @{exec_path} { owner @{HOME}/.Xauthority r, - owner /tmp/tint2-@{pid}-@{int}.png rw, + owner @{tmp}/tint2-@{pid}-@{int}.png rw, # Battery applet @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index 179fdd89..5b232a00 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -40,7 +40,7 @@ profile transmission-qt @{exec_path} { owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/** rwk, - owner /tmp/tr_session_id_* rwk, + owner @{tmp}/tr_session_id_* rwk, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf deleted file mode 100644 index 1795bc6c..00000000 --- a/apparmor.d/profiles-s-z/ucf +++ /dev/null @@ -1,116 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucf -profile ucf @{exec_path} flags=(complain) { - include - include - - @{exec_path} r, - @{sh_path} rix, - - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/{m,g,}awk rix, - @{bin}/getopt rix, - @{bin}/id rix, - @{bin}/md5sum rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/perl rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/stat rix, - @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, - - # Do not strip env to avoid errors like the following: - # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open - # shared object file): ignored. - @{bin}/dpkg-query rpx, - # - @{bin}/dpkg-divert rPx, - - @{bin}/sensible-pager rCx -> pager, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/ucf.conf r, - /var/lib/ucf/** rw, - - owner /tmp/* rw, - /etc/default/* rw, - - # For md5sum - /etc/** r, - /usr/share/** r, - @{run}/** r, - - # For writing new config files - /etc/** rw, - - /usr/share/debconf/confmodule r, - - # For shell pwd - / r, - /root/ r, - - - profile pager flags=(complain) { - include - include - - @{bin}/ r, - @{bin}/sensible-pager mr, - - # For shell pwd - /root/ r, - - } - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/ucf rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - } - - include if exists -} diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 4529c2c5..cbe3a79b 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -47,6 +47,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount options=(rw move) -> @{MOUNTS}/, + mount options=(rw move) -> @{MOUNTS}/*/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 97ef4359..65fd4330 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -19,6 +19,7 @@ profile unix-chkpwd @{exec_path} { @{exec_path} mr, + /etc/machine-id r, /etc/shadow r, # systemd userdb, used in nspawn diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 59bdb710..23f4e249 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -38,14 +38,14 @@ profile unmkinitramfs @{exec_path} { /boot/ r, owner /boot/initrd.img-* r, /tmp/ r, - owner /tmp/initrd.img-* r, + owner @{tmp}/initrd.img-* r, /mnt/ r, owner /mnt/initrd.img-* r, /mnt/boot/ r, owner /mnt/boot/initrd.img-* r, # To extract the content of the initrd image - owner /tmp/** rwl -> /tmp/**, + owner @{tmp}/** rwl -> /tmp/**, /var/tmp/ r, owner /var/tmp/unmkinitramfs_* rw, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 8d0f61b4..d1dba09e 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -53,7 +53,7 @@ profile update-ca-certificates @{exec_path} { / r, /tmp/ r, - owner /tmp/ca-certificates{,.crt}.tmp.* rw, + owner @{tmp}/ca-certificates{,.crt}.tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index df2b9734..7c2d4c1b 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -36,7 +36,7 @@ profile update-cracklib @{exec_path} { owner /var/cache/cracklib/{,**} rw, - owner /tmp/sort@{rand6} rw, + owner @{tmp}/sort@{rand6} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/profiles-s-z/uuidgen new file mode 100644 index 00000000..4a433508 --- /dev/null +++ b/apparmor.d/profiles-s-z/uuidgen @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/uuidgen +profile uuidgen @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index b491f4a1..9ceb9ec4 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -28,7 +28,7 @@ profile vcsi @{exec_path} { /etc/fstab r, - owner /tmp/* rw, + owner @{tmp}/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 9ceb3fd4..b9c12955 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -51,10 +51,10 @@ profile vidcutter @{exec_path} { owner @{user_config_dirs}/vidcutter/ rw, owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int}, - owner /tmp/vidcutter-@{uuid} w, - owner /tmp/#@{int} rw, - owner /tmp/*.jpg rwl -> /tmp/#@{int}, - owner /tmp/vidcutter/{,*} rw, + owner @{tmp}/vidcutter-@{uuid} w, + owner @{tmp}/#@{int} rw, + owner @{tmp}/*.jpg rwl -> /tmp/#@{int}, + owner @{tmp}/vidcutter/{,*} rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d4f8d403..68f52dd3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -85,10 +85,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, + @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/stat r, /dev/media@{int} r, /dev/video@{int} rw, diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 727a1792..33915f7c 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -10,13 +10,10 @@ include @{exec_path} = @{bin}/vsftpd profile vsftpd @{exec_path} { include - include - - # Only for local users authentication include - - # For libwrap (TCP Wrapper) support (tcp_wrappers=YES) include + include + include # To be able to listen on ports < 1024 capability net_bind_service, @@ -43,7 +40,8 @@ profile vsftpd @{exec_path} { capability net_admin, capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp - include + + @{exec_path} mr, # To validate allowed users shells /etc/shells r, diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index b1295df1..db62117f 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Zane Zakraisek +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -24,5 +25,8 @@ profile whatis @{exec_path} { owner @{HOME}/.manpath r, + owner @{user_share_dirs}/man/{,**/}{,whatis} r, + owner @{user_share_dirs}/man/{,**/}index.{bt,db,dir,pag} rk, + include if exists } diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index 21a369ad..464d5862 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,7 +18,7 @@ profile whiptail @{exec_path} flags=(complain) { /etc/newt/palette.* r, - owner /tmp/gpm* w, + owner @{tmp}/gpm* w, include if exists } diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 19f38bc9..3c10760d 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -48,7 +48,7 @@ profile wireshark @{exec_path} { owner @{HOME}/.wireshark/{,**} rw, owner @{user_config_dirs}/wireshark/{,**} rw, - owner /tmp/wireshark_extcap_ciscodump_@{int}_* rw, + owner @{tmp}/wireshark_extcap_ciscodump_@{int}_* rw, deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index 6e621d57..b961da10 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -17,7 +17,7 @@ profile wl-copy @{exec_path} { @{bin}/xdg-mime rPx, - owner /tmp/wl-copy-buffer-*/{,**} rw, + owner @{tmp}/wl-copy-buffer-*/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index c324f3b9..03c3db36 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner /tmp/wpa_ctrl_@{pid}-[0-9] rw, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index f9396ba9..6718f20c 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -24,7 +24,7 @@ profile wpa-gui @{exec_path} { /usr/share/hwdata/pnp.ids r, - owner /tmp/wpa_ctrl_@{pid}-[0-9] w, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index eb6f8f95..dccccc2b 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -56,7 +56,7 @@ profile xarchiver @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 44710efd..02ab3042 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -26,15 +26,15 @@ profile xauth @{exec_path} { owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, - owner /tmp/serverauth.*-c w, - owner /tmp/serverauth.*-l wl -> /tmp/serverauth.*-c, - owner /tmp/serverauth.*-n rw, - owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, + owner @{tmp}/serverauth.*-c w, + owner @{tmp}/serverauth.*-l wl -> /tmp/serverauth.*-c, + owner @{tmp}/serverauth.*-n rw, + owner @{tmp}/serverauth.* rwl -> /tmp/serverauth.*-n, - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6}-c w, - owner /tmp/xauth_@{rand6}-l wl, + owner @{tmp}/runtime-*/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6}-c w, + owner @{tmp}/xauth_@{rand6}-l wl, owner @{run}/user/@{uid}/xauth_@{rand6} rw, owner @{run}/user/@{uid}/xauth_@{rand6}-c w, diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 0aadf7a6..68258cae 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -16,8 +16,8 @@ profile xclip @{exec_path} { @{exec_path} mr, - owner /tmp/mutt-* rw, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/mutt-* rw, + owner @{tmp}/xauth_@{rand6} r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 8c8428d1..03ec3ff9 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -70,8 +70,8 @@ profile xinit @{exec_path} { owner @{HOME}/.xserverrc r, owner @{HOME}/.xsession-errors w, - owner /tmp/file* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/file* rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 6b065bcd..9fb9593d 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -19,7 +19,7 @@ profile xsel @{exec_path} { owner @{user_cache_dirs}/xsel.log rw, owner @{HOME}/.Xauthority r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index c2fa6162..1ce39288 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -43,7 +43,7 @@ profile zed @{exec_path} { @{run}/zed.state rwkl, @{run}/zfs-list.cache@* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 8d4a0934..2136952a 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -37,8 +37,8 @@ profile zenmap @{exec_path} { /usr/share/zenmap/** r, - owner /tmp/* rw, - owner /tmp/zenmap-stdout-* rw, + owner @{tmp}/* rw, + owner @{tmp}/zenmap-stdout-* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e5aff51c..aad07309 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -18,15 +18,18 @@ profile zpool @{exec_path} { @{sh_path} rix, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + /usr/share/zfs/{,**} r, + /etc/hostid r, /etc/zfs/*.cache rwk, + /tmp/tmp.* rw, + @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old rwl, @{run}/blkid/blkid.tab-@{rand6} rwl, - /tmp/tmp.* rw, - + @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 68efe0b7..bf532376 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -17,7 +17,8 @@ # Hexadecimal up to 64 characters @{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{hex32}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{hex16}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{hex32}=@{hex16}@{hex16} @{hex64}=@{hex32}@{hex32} @{md5}=@{hex32} # kept for now for compatibility @@ -56,6 +57,9 @@ @{bin}=/{,usr/}{,s}bin @{lib}=/{,usr/}lib{,exec,32,64} +# Common places for temporary files +@{tmp}=/tmp/ /tmp/user/@{uid}/ + # Udev data dynamic assignment ranges @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 976dcad5..6d69b629 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -98,6 +98,8 @@ dpkg-genbuildinfo complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain +ephy-profile-migrator complain +epiphany attach_disconnected,complain epiphany-search-provider complain epiphany-webapp-provider complain evolution-user-prompter complain @@ -396,4 +398,3 @@ xsettingsd complain xwaylandvideobridge complain YACReader attach_disconnected,mediate_deleted,complain YACReaderLibrary attach_disconnected,mediate_deleted,complain - diff --git a/dists/overwrite b/dists/overwrite index b00079b1..37db232d 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -15,6 +15,7 @@ firefox flatpak foliate loupe +msedge nautilus opera plasmashell diff --git a/docs/install.md b/docs/install.md index af58b491..828624d5 100644 --- a/docs/install.md +++ b/docs/install.md @@ -2,10 +2,14 @@ title: Installation --- -!!! danger +!!! warning In order to not break your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. +!!! danger + + Do **not** install this project if your Desktop Environement and Display Manager is not supported. Your system will not boot, and that would be a feature. + ## Requirements **AppArmor** @@ -17,7 +21,8 @@ An `apparmor` based Linux distribution is required. The basic profiles and abstr The following desktop environments are supported: - [x] :material-gnome: Gnome - - [ ] :simple-kde: KDE *(work in progress)* + - [x] :simple-kde: KDE + - [ ] :simple-xfce: XFCE *(work in progress)* **Build dependency** @@ -65,6 +70,12 @@ sudo dpkg -i ../apparmor.d_*.deb sudo apt install -t bookworm-backports golang-go ``` +!!! warning + + **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are differents. + + If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based. + ## :simple-suse: OpenSUSE OpenSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS @@ -77,7 +88,7 @@ zypper install apparmor.d ## Partial install -For test purposes, you can install specific profiles with the following commands. Abstractions, tunables, and most of the OS dependent post-processing is managed. +For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh make diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index faa76a1f..9eb8a681 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -75,8 +75,13 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { } scanner = bufio.NewScanner(file) } else { - // journalctl -b -o json --output-fields=MESSAGE > systemd.log - cmd := exec.Command("journalctl", "--boot", "--output=json", "--output-fields=MESSAGE") + // journalctl -b -o json -g apparmor -t kernel -t audit -t dbus-daemon --output-fields=MESSAGE > systemd.log + args := []string{ + "--boot", "--grep=apparmor", + "--identifier=kernel", "--identifier=audit", "--identifier=dbus-daemon", + "--output=json", "--output-fields=MESSAGE", + } + cmd := exec.Command("journalctl", args...) cmd.Stdout = &stdout if err := cmd.Run(); err != nil { return nil, err diff --git a/pkg/prebuild/cfg/os.go b/pkg/prebuild/cfg/os.go index 17713c6a..b742a398 100644 --- a/pkg/prebuild/cfg/os.go +++ b/pkg/prebuild/cfg/os.go @@ -23,7 +23,7 @@ var ( supportedDists = map[string][]string{ "arch": {}, "debian": {}, - "ubuntu": {}, + "ubuntu": {"neon"}, "opensuse": {"suse", "opensuse-tumbleweed"}, "whonix": {}, } diff --git a/pkg/prebuild/cfg/os_test.go b/pkg/prebuild/cfg/os_test.go index b0fbd050..44aef107 100644 --- a/pkg/prebuild/cfg/os_test.go +++ b/pkg/prebuild/cfg/os_test.go @@ -67,6 +67,20 @@ PLATFORM_ID="platform:f37" PRETTY_NAME="Fedora Linux 37 (Workstation Edition)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon` + + osReleaseNeon = `PRETTY_NAME="KDE neon 6.0" +NAME="KDE neon" +VERSION_ID="22.04" +VERSION="6.0" +VERSION_CODENAME=jammy +ID=neon +ID_LIKE="ubuntu debian" +HOME_URL="https://neon.kde.org/" +SUPPORT_URL="https://neon.kde.org/" +BUG_REPORT_URL="https://bugs.kde.org/" +PRIVACY_POLICY_URL="https://kde.org/privacypolicy/" +UBUNTU_CODENAME=jammy +LOGO=start-here-kde-neon` ) func Test_getOSRelease(t *testing.T) { @@ -156,6 +170,11 @@ func Test_getDistribution(t *testing.T) { osRelease: osReleaseFedora, want: "fedora", }, + { + name: "Neon", + osRelease: osReleaseNeon, + want: "ubuntu", + }, } osReleaseFile = "/tmp/os-release" @@ -200,6 +219,11 @@ func Test_getFamily(t *testing.T) { dist: "opensuse", want: "zypper", }, + { + name: "Neon", + dist: "neon", + want: "", + }, } for _, tt := range tests { diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 0d638c0c..74498484 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -61,6 +61,13 @@ func NewOption(file *paths.Path, match []string) *Option { } } +// Clean the selected directive from profile. +// Useful to remove directive text applied on some condition only +func (o *Option) Clean(profile string) string { + reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`) + return reg.ReplaceAllString(profile, "") +} + func RegisterDirective(d Directive) { Directives[d.Name()] = d } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index b4cc54af..305b3b0b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,10 +43,10 @@ func filterRuleForUs(opt *Option) bool { func filter(only bool, opt *Option, profile string) string { if only && filterRuleForUs(opt) { - return profile + return opt.Clean(profile) } if !only && !filterRuleForUs(opt) { - return profile + return opt.Clean(profile) } inline := true diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go index 4dbeca91..6ef62c6a 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/prebuild/directive/filter_test.go @@ -31,7 +31,7 @@ func TestFilterOnly_Apply(t *testing.T) { Raw: " @{bin}/arch-audit rPx, #aa:only apt", }, profile: " @{bin}/arch-audit rPx, #aa:only apt", - want: " @{bin}/arch-audit rPx, #aa:only apt", + want: " @{bin}/arch-audit rPx,", }, { name: "paragraph", @@ -121,7 +121,7 @@ func TestFilterExclude_Apply(t *testing.T) { Raw: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude debian", }, profile: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude debian", - want: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude debian", + want: " @{bin}/dpkg rPx -> child-dpkg,", }, } for _, tt := range tests {