From 2aa8986a21cdc774785b8e15eeafa73e2b65dc21 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Apr 2024 13:57:27 +0100 Subject: [PATCH 01/37] feat(profile): update gvfsd-recent. --- apparmor.d/groups/gvfs/gvfsd-recent | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 276dd802..20a89c9f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,6 +11,10 @@ include profile gvfsd-recent @{exec_path} { include include + include + include + include + include include include From c7fb47e97a9a0d2d956103093a7ace790226bc37 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Apr 2024 14:22:00 +0100 Subject: [PATCH 02/37] build: remove directive text not applied on build. --- pkg/prebuild/directive/core.go | 7 +++++++ pkg/prebuild/directive/filter.go | 4 ++-- pkg/prebuild/directive/filter_test.go | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 0d638c0c..74498484 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -61,6 +61,13 @@ func NewOption(file *paths.Path, match []string) *Option { } } +// Clean the selected directive from profile. +// Useful to remove directive text applied on some condition only +func (o *Option) Clean(profile string) string { + reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`) + return reg.ReplaceAllString(profile, "") +} + func RegisterDirective(d Directive) { Directives[d.Name()] = d } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index b4cc54af..305b3b0b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,10 +43,10 @@ func filterRuleForUs(opt *Option) bool { func filter(only bool, opt *Option, profile string) string { if only && filterRuleForUs(opt) { - return profile + return opt.Clean(profile) } if !only && !filterRuleForUs(opt) { - return profile + return opt.Clean(profile) } inline := true diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go index 4dbeca91..6ef62c6a 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/prebuild/directive/filter_test.go @@ -31,7 +31,7 @@ func TestFilterOnly_Apply(t *testing.T) { Raw: " @{bin}/arch-audit rPx, #aa:only apt", }, profile: " @{bin}/arch-audit rPx, #aa:only apt", - want: " @{bin}/arch-audit rPx, #aa:only apt", + want: " @{bin}/arch-audit rPx,", }, { name: "paragraph", @@ -121,7 +121,7 @@ func TestFilterExclude_Apply(t *testing.T) { Raw: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude debian", }, profile: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude debian", - want: " @{bin}/dpkg rPx -> child-dpkg, #aa:exclude debian", + want: " @{bin}/dpkg rPx -> child-dpkg,", }, } for _, tt := range tests { From aa94ce1740d5122d11dfb3bc10a4be892da99245 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Apr 2024 17:17:29 +0100 Subject: [PATCH 03/37] build: ensure KDE Neon is in the supported dist list. See #312 --- pkg/prebuild/cfg/os.go | 2 +- pkg/prebuild/cfg/os_test.go | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/cfg/os.go b/pkg/prebuild/cfg/os.go index 17713c6a..b742a398 100644 --- a/pkg/prebuild/cfg/os.go +++ b/pkg/prebuild/cfg/os.go @@ -23,7 +23,7 @@ var ( supportedDists = map[string][]string{ "arch": {}, "debian": {}, - "ubuntu": {}, + "ubuntu": {"neon"}, "opensuse": {"suse", "opensuse-tumbleweed"}, "whonix": {}, } diff --git a/pkg/prebuild/cfg/os_test.go b/pkg/prebuild/cfg/os_test.go index b0fbd050..9ab45925 100644 --- a/pkg/prebuild/cfg/os_test.go +++ b/pkg/prebuild/cfg/os_test.go @@ -67,6 +67,20 @@ PLATFORM_ID="platform:f37" PRETTY_NAME="Fedora Linux 37 (Workstation Edition)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon` + + osReleaseNeon = `PRETTY_NAME="KDE neon 6.0" +NAME="KDE neon" +VERSION_ID="22.04" +VERSION="6.0" +VERSION_CODENAME=jammy +ID=neon +ID_LIKE="ubuntu debian" +HOME_URL="https://neon.kde.org/" +SUPPORT_URL="https://neon.kde.org/" +BUG_REPORT_URL="https://bugs.kde.org/" +PRIVACY_POLICY_URL="https://kde.org/privacypolicy/" +UBUNTU_CODENAME=jammy +LOGO=start-here-kde-neon` ) func Test_getOSRelease(t *testing.T) { @@ -156,6 +170,11 @@ func Test_getDistribution(t *testing.T) { osRelease: osReleaseFedora, want: "fedora", }, + { + name: "Neon", + osRelease: osReleaseNeon, + want: "neon", + }, } osReleaseFile = "/tmp/os-release" @@ -200,6 +219,11 @@ func Test_getFamily(t *testing.T) { dist: "opensuse", want: "zypper", }, + { + name: "Neon", + dist: "neon", + want: "", + }, } for _, tt := range tests { From 608b599caf6ae96121fcc6c22c6200ef92495cdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Apr 2024 17:34:38 +0100 Subject: [PATCH 04/37] doc: add a note on debian based install. --- docs/install.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/install.md b/docs/install.md index af58b491..09879ddd 100644 --- a/docs/install.md +++ b/docs/install.md @@ -65,6 +65,12 @@ sudo dpkg -i ../apparmor.d_*.deb sudo apt install -t bookworm-backports golang-go ``` +!!! warning + + **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are differents. + + If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based. + ## :simple-suse: OpenSUSE OpenSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS @@ -77,7 +83,7 @@ zypper install apparmor.d ## Partial install -For test purposes, you can install specific profiles with the following commands. Abstractions, tunables, and most of the OS dependent post-processing is managed. +For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh make From d2523a434ab12c3ac6958d000fe8eda92eb49427 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Apr 2024 17:47:07 +0100 Subject: [PATCH 05/37] doc: update supported DE. --- README.md | 3 ++- docs/install.md | 9 +++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3a62d5f0..33fa7a33 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,8 @@ * OpenSUSE Tumbleweed - Support major desktop environments: * Gnome - * KDE *(work in progress)* + * KDE + * XFCE *(work in progress)* - Fully tested (Work in progress) diff --git a/docs/install.md b/docs/install.md index 09879ddd..828624d5 100644 --- a/docs/install.md +++ b/docs/install.md @@ -2,10 +2,14 @@ title: Installation --- -!!! danger +!!! warning In order to not break your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. +!!! danger + + Do **not** install this project if your Desktop Environement and Display Manager is not supported. Your system will not boot, and that would be a feature. + ## Requirements **AppArmor** @@ -17,7 +21,8 @@ An `apparmor` based Linux distribution is required. The basic profiles and abstr The following desktop environments are supported: - [x] :material-gnome: Gnome - - [ ] :simple-kde: KDE *(work in progress)* + - [x] :simple-kde: KDE + - [ ] :simple-xfce: XFCE *(work in progress)* **Build dependency** From af4ee0df00a48b08dd457dd14271c3dc5f057b24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 28 Apr 2024 17:50:07 +0100 Subject: [PATCH 06/37] fix(ci): build tests. --- pkg/prebuild/cfg/os_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/cfg/os_test.go b/pkg/prebuild/cfg/os_test.go index 9ab45925..44aef107 100644 --- a/pkg/prebuild/cfg/os_test.go +++ b/pkg/prebuild/cfg/os_test.go @@ -173,7 +173,7 @@ func Test_getDistribution(t *testing.T) { { name: "Neon", osRelease: osReleaseNeon, - want: "neon", + want: "ubuntu", }, } From 065f2233acc6b320e47b8fa4d56168bccce87157 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 29 Apr 2024 11:58:55 +0100 Subject: [PATCH 07/37] feat(abs): ensure pam-tmpdir-helper is allowed in the auth abs for all distribution. --- apparmor.d/abstractions/authentication.d/complete | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 6ecb0e31..de6c758b 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -1,8 +1,10 @@ + @{bin}/pam-tmpdir-helper rPx, + + #aa:exclude ubuntu @{bin}/unix_chkpwd rPx, #aa:only whonix - @{bin}/pam-tmpdir-helper rPx, @{lib}/security-misc/pam_faillock_not_if_x rPx, @{lib}/security-misc/pam-abort-on-locked-password rPx, @{lib}/security-misc/pam-info rPx, From d0ea5f50a3be877588a75b3b6c46270f58e23997 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Sun, 28 Apr 2024 17:09:07 -0400 Subject: [PATCH 08/37] New profile for Microsoft Edge and better support in abstractions/app/chromium This commit add new profile for Microsoft Edge browser and variants (beta,dev). The new profile is based in actual chrome profile. Tested with actual Edge, in Debian Stable and enforced rules. All ok using GPU Rasterization and Vulkan, not HWAccel for encoding video because this is very unstable yet in all Chromium based browsers. Add support for libpam-tmpdir for abstractions/app/chromium and all browser using this absctractions (Chrome, Chromium, Edge, and others). This fix access and use of browser with libpam-tmpdir installed (Debian and Whonix) Fix a denied access to RADV user cache (Vulkan-amdgpu) in abstractions/app/chromium (Vulkan is optional in Chromium-based browser, but the backend is perfectly usable now). --- apparmor.d/abstractions/app/chromium | 4 ++ apparmor.d/abstractions/vulkan-strict | 4 +- apparmor.d/profiles-m-r/msedge | 37 +++++++++++++++++ .../profiles-m-r/msedge-crashpad-handlers | 36 +++++++++++++++++ apparmor.d/profiles-m-r/msedge-sandbox | 32 +++++++++++++++ apparmor.d/profiles-m-r/msedge-wrapper | 40 +++++++++++++++++++ 6 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-m-r/msedge create mode 100644 apparmor.d/profiles-m-r/msedge-crashpad-handlers create mode 100644 apparmor.d/profiles-m-r/msedge-sandbox create mode 100644 apparmor.d/profiles-m-r/msedge-wrapper diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 4af0396c..24714665 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -158,6 +158,10 @@ owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, + # libpam-tmpdir support + owner /tmp/user/@{uid}/ rw, + owner /tmp/user/@{uid}/** rwk, + /dev/shm/ r, owner /dev/shm/.@{domain}* rw, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 78afea1e..70d5711d 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -15,6 +15,7 @@ /etc/vulkan/implicit_layer.d/{,*.json} r, owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, + owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache @{sys}/class/ r, @{sys}/class/drm/ r, @@ -23,4 +24,5 @@ @{sys}/devices/@{pci}/drm/card@{int}/metrics/ r, @{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r, - include if exists \ No newline at end of file + include if exists + diff --git a/apparmor.d/profiles-m-r/msedge b/apparmor.d/profiles-m-r/msedge new file mode 100644 index 00000000..a45f0b0a --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = msedge{,-beta,-dev} +@{domain} = com.microsoft.Edge +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} +@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} +@{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/@{name} +profile msedge /opt/microsoft/msedge{,-beta,-dev}/msedge{,-beta,-dev} { + include + include + + @{exec_path} mrix, + @{lib_dirs}/microsoft-edge{,beta,-dev} rpx, + + @{bin}/man rpux, # For "chrome --help" + + @{lib_dirs}/xdg-mime rix, #-> xdg-mime, + @{lib_dirs}/xdg-settings rix, #-> xdg-settings, + + @{lib_dirs}/msedge_crashpad_handler rpx, + + @{lib_dirs}/*.so* mr, + @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + + owner @{user_cache_dirs}/Microsoft/** rwk, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/msedge-crashpad-handlers b/apparmor.d/profiles-m-r/msedge-crashpad-handlers new file mode 100644 index 00000000..c9572f50 --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge-crashpad-handlers @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} +@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/msedge_crashpad_handler +profile msedge-crashpad-handler /opt/microsoft/msedge{,-beta,-dev}/msedge_crashpad_handler { + include + + capability sys_ptrace, + + ptrace peer=msedge, + signal (send) peer=msedge, + + @{exec_path} mrix, + + owner "@{config_dirs}/Crash Reports/**" rwk, + + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/mem r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/task/ r, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/msedge-sandbox b/apparmor.d/profiles-m-r/msedge-sandbox new file mode 100644 index 00000000..e113c586 --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge-sandbox @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/msedge-sandbox +profile msedge-sandbox /opt/microsoft/msedge{,-beta,-dev}/msedge-sandbox { + include + + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_resource, + + @{exec_path} mr, + + @{lib_dirs}/msedge{,-beta,-dev} rpx, + + @{PROC} r, + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/msedge-wrapper b/apparmor.d/profiles-m-r/msedge-wrapper new file mode 100644 index 00000000..3b90f399 --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge-wrapper @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/microsoft-edge{,-beta,-dev} +profile msedge-wrapper /opt/microsoft/msedge{,-beta,-dev}/microsoft-edge{,-beta,-dev} flags=(attach_disconnected) { + include + include + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/dirname rix, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, + + @{lib_dirs}/msedge rpx, + + owner @{user_config_dirs}/msedge-flags.conf r, + + owner @{PROC}/@{pid}/fd/* rw, + + # File Inherit + owner @{HOME}/.xsession-errors w, + + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} From 0a941e7d8783527b5e1f55b8047fca93a572cb97 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Sun, 28 Apr 2024 19:18:33 -0400 Subject: [PATCH 09/37] Fix for access video devices and opensc in Chromium profile This commit fix two issues for abstractions/app/chromium 1.- Access to /dev/video (not merged in last commit) 2.- Access to /etc/opensc/opensc.conf in Debian (and derivates) --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/video.d/complete | 3 +++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 24714665..fc5ef673 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -109,6 +109,7 @@ /etc/@{name}/{,**} r, /etc/fstab r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, # Debian ubication /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/abstractions/video.d/complete b/apparmor.d/abstractions/video.d/complete index 0f43431a..4b8a0d2e 100644 --- a/apparmor.d/abstractions/video.d/complete +++ b/apparmor.d/abstractions/video.d/complete @@ -3,3 +3,6 @@ # SPDX-License-Identifier: GPL-2.0-only @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + + # Access to video /dev devices + /dev/video@{int} rw, From fd590e9199cce0c27e70dbed5b7d4cde76e0d220 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Mon, 29 Apr 2024 15:12:43 -0400 Subject: [PATCH 10/37] Fix exec_path in profiles for Edge and copyright headers --- apparmor.d/profiles-m-r/msedge | 4 ++-- apparmor.d/profiles-m-r/msedge-crashpad-handlers | 4 ++-- apparmor.d/profiles-m-r/msedge-sandbox | 4 ++-- apparmor.d/profiles-m-r/msedge-wrapper | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/apparmor.d/profiles-m-r/msedge b/apparmor.d/profiles-m-r/msedge index a45f0b0a..6c92c17c 100644 --- a/apparmor.d/profiles-m-r/msedge +++ b/apparmor.d/profiles-m-r/msedge @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} @{exec_path} = @{lib_dirs}/@{name} -profile msedge /opt/microsoft/msedge{,-beta,-dev}/msedge{,-beta,-dev} { +profile msedge @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/msedge-crashpad-handlers b/apparmor.d/profiles-m-r/msedge-crashpad-handlers index c9572f50..6f453c65 100644 --- a/apparmor.d/profiles-m-r/msedge-crashpad-handlers +++ b/apparmor.d/profiles-m-r/msedge-crashpad-handlers @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,7 +11,7 @@ include @{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} @{exec_path} = @{lib_dirs}/msedge_crashpad_handler -profile msedge-crashpad-handler /opt/microsoft/msedge{,-beta,-dev}/msedge_crashpad_handler { +profile msedge-crashpad-handler @{exec_path} { include capability sys_ptrace, diff --git a/apparmor.d/profiles-m-r/msedge-sandbox b/apparmor.d/profiles-m-r/msedge-sandbox index e113c586..f8192145 100644 --- a/apparmor.d/profiles-m-r/msedge-sandbox +++ b/apparmor.d/profiles-m-r/msedge-sandbox @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,7 +10,7 @@ include @{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} @{exec_path} = @{lib_dirs}/msedge-sandbox -profile msedge-sandbox /opt/microsoft/msedge{,-beta,-dev}/msedge-sandbox { +profile msedge-sandbox @{exec_path} { include capability setgid, diff --git a/apparmor.d/profiles-m-r/msedge-wrapper b/apparmor.d/profiles-m-r/msedge-wrapper index 3b90f399..b35fbdd3 100644 --- a/apparmor.d/profiles-m-r/msedge-wrapper +++ b/apparmor.d/profiles-m-r/msedge-wrapper @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol +# Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,7 +10,7 @@ include @{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} @{exec_path} = @{lib_dirs}/microsoft-edge{,-beta,-dev} -profile msedge-wrapper /opt/microsoft/msedge{,-beta,-dev}/microsoft-edge{,-beta,-dev} flags=(attach_disconnected) { +profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { include include From a1d6d318ccaaa7790f685d3988a74ee5df752383 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:11:43 +0100 Subject: [PATCH 11/37] feat(profile): tweak the new msedge profiles a bit. --- apparmor.d/{profiles-m-r => groups/browsers}/msedge | 12 ++++++++---- .../browsers}/msedge-crashpad-handlers | 0 .../{profiles-m-r => groups/browsers}/msedge-sandbox | 2 +- .../{profiles-m-r => groups/browsers}/msedge-wrapper | 2 +- 4 files changed, 10 insertions(+), 6 deletions(-) rename apparmor.d/{profiles-m-r => groups/browsers}/msedge (76%) rename apparmor.d/{profiles-m-r => groups/browsers}/msedge-crashpad-handlers (100%) rename apparmor.d/{profiles-m-r => groups/browsers}/msedge-sandbox (94%) rename apparmor.d/{profiles-m-r => groups/browsers}/msedge-wrapper (97%) diff --git a/apparmor.d/profiles-m-r/msedge b/apparmor.d/groups/browsers/msedge similarity index 76% rename from apparmor.d/profiles-m-r/msedge rename to apparmor.d/groups/browsers/msedge index 6c92c17c..bab7a965 100644 --- a/apparmor.d/profiles-m-r/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -9,7 +9,7 @@ include @{name} = msedge{,-beta,-dev} @{domain} = com.microsoft.Edge -@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} +@{lib_dirs} = /opt/microsoft/@{name} @{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} @{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} @@ -19,19 +19,23 @@ profile msedge @{exec_path} { include @{exec_path} mrix, - @{lib_dirs}/microsoft-edge{,beta,-dev} rpx, - @{bin}/man rpux, # For "chrome --help" + @{bin}/man rPUx, # For "chrome --help" @{lib_dirs}/xdg-mime rix, #-> xdg-mime, @{lib_dirs}/xdg-settings rix, #-> xdg-settings, - @{lib_dirs}/msedge_crashpad_handler rpx, + @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, + @{lib_dirs}/msedge_crashpad_handler rPx, @{lib_dirs}/*.so* mr, @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + owner @{user_cache_dirs}/Microsoft/ rw, owner @{user_cache_dirs}/Microsoft/** rwk, + owner /tmp/.ses rw, + owner /tmp/cv_debug.log rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/msedge-crashpad-handlers b/apparmor.d/groups/browsers/msedge-crashpad-handlers similarity index 100% rename from apparmor.d/profiles-m-r/msedge-crashpad-handlers rename to apparmor.d/groups/browsers/msedge-crashpad-handlers diff --git a/apparmor.d/profiles-m-r/msedge-sandbox b/apparmor.d/groups/browsers/msedge-sandbox similarity index 94% rename from apparmor.d/profiles-m-r/msedge-sandbox rename to apparmor.d/groups/browsers/msedge-sandbox index f8192145..f708d2d4 100644 --- a/apparmor.d/profiles-m-r/msedge-sandbox +++ b/apparmor.d/groups/browsers/msedge-sandbox @@ -21,7 +21,7 @@ profile msedge-sandbox @{exec_path} { @{exec_path} mr, - @{lib_dirs}/msedge{,-beta,-dev} rpx, + @{lib_dirs}/msedge{,-beta,-dev} rPx, @{PROC} r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-m-r/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper similarity index 97% rename from apparmor.d/profiles-m-r/msedge-wrapper rename to apparmor.d/groups/browsers/msedge-wrapper index b35fbdd3..e141cff7 100644 --- a/apparmor.d/profiles-m-r/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -24,7 +24,7 @@ profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{bin}/which{,.debianutils} rix, - @{lib_dirs}/msedge rpx, + @{lib_dirs}/msedge rPx, owner @{user_config_dirs}/msedge-flags.conf r, From 01dd9ebb0c9addb786faa6033ae3828c0d530eb6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:25:01 +0100 Subject: [PATCH 12/37] feat(profile): general update. --- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/freedesktop/dconf-service | 2 +- .../freedesktop/polkit-gnome-authentication-agent | 1 - apparmor.d/groups/gnome/epiphany-search-provider | 8 ++++---- apparmor.d/groups/gnome/gdm-session-worker | 3 +++ apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/yelp | 2 ++ apparmor.d/groups/pacman/pacman | 14 ++++++++++++++ apparmor.d/profiles-a-f/flatpak-portal | 2 ++ apparmor.d/profiles-s-z/virt-manager | 5 +++-- 10 files changed, 31 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 8a56a9b8..f3a857a4 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -17,7 +17,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm, + signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, dbus bus=accessibility, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 70184421..7ef2e530 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -14,7 +14,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { include signal (receive) set=(term kill hup) peer=dbus-session, - signal (receive) set=(term hup) peer=gdm, + signal (receive) set=(term hup) peer=gdm{,-session-worker}, #aa:dbus own bus=session name=ca.desrt.dconf diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 5f48d5c2..f1d235c9 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,7 +12,6 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index e58d5877..a67dc3c5 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -34,10 +34,10 @@ profile epiphany-search-provider @{exec_path} { owner /tmp/ContentRuleList@{rand6} rw, owner /tmp/Serialized* rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/driver/nvidia/params r, @{PROC}/modules r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 27936849..f7219c98 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -33,11 +33,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=gdm, signal (send) set=(hup term) peer=gdm-session, signal (send) set=hup peer=at-spi*, + signal (send) set=hup peer=dbus-accessibility, signal (send) set=hup peer=dbus-session, + signal (send) set=hup peer=dconf-service, signal (send) set=hup peer=gjs-console, signal (send) set=hup peer=gnome-*, signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, + signal (send) set=hup peer=mutter-x11-frames, signal (send) set=hup peer=tracker-miner, signal (send) set=hup peer=xdg-*, signal (send) set=hup peer=xorg, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index a23f6152..4df820c8 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.Calendar interface={org.freedesktop.Application,org.gtk.Actions} + #aa:dbus own bus=session name=org.gnome.Calendar #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 28931a3c..f54d7654 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -27,6 +27,8 @@ profile yelp @{exec_path} { @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, + @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ac6bafdd..04e2dacc 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -100,6 +100,7 @@ profile pacman @{exec_path} { @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/vlc/vlc-cache-gen rPx, + /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, /usr/share/code-marketplace/patch.py rPx, /usr/share/libalpm/scripts/* rPUx, @@ -189,6 +190,19 @@ profile pacman @{exec_path} { include capability net_admin, + capability dac_read_search, + capability sys_resource, + + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/diff rPx -> child-pager, + + /etc/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/*.journal* r, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index 38941785..d82c3865 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -29,6 +29,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + / r, /.flatpak-info r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d4f8d403..68f52dd3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -85,10 +85,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, + @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/stat r, /dev/media@{int} r, /dev/video@{int} rw, From 19c192685dab3e20d60e9cfe0306a95b156b5f2a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:25:42 +0100 Subject: [PATCH 13/37] feat(profile): add uuidgen. --- apparmor.d/profiles-s-z/uuidgen | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 apparmor.d/profiles-s-z/uuidgen diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/profiles-s-z/uuidgen new file mode 100644 index 00000000..4a433508 --- /dev/null +++ b/apparmor.d/profiles-s-z/uuidgen @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/uuidgen +profile uuidgen @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file From 0787ef9906b1974a9019aabcddf6c7331098325d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:26:09 +0100 Subject: [PATCH 14/37] feat(profile): add sync. --- apparmor.d/profiles-s-z/sync | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 apparmor.d/profiles-s-z/sync diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync new file mode 100644 index 00000000..3211a2b5 --- /dev/null +++ b/apparmor.d/profiles-s-z/sync @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/sync +profile sync @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file From 8c84d74fe6fed738332171ea8402eaf74e9a3254 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:29:48 +0100 Subject: [PATCH 15/37] feat(profile): add gnome-weather. --- apparmor.d/groups/gnome/gnome-weather | 37 +++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-weather diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather new file mode 100644 index 00000000..1b59bcf3 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-weather @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-weather /usr/share/org.gnome.Weather/org.gnome.Weather +profile gnome-weather @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + /usr/share/org.gnome.Weather/{,**} r, + + owner @{user_cache_dirs}/libgweather/{,**} rw, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} \ No newline at end of file From e1e96d90dcb50db2bf0fb2c395784f12ca4359fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:30:14 +0100 Subject: [PATCH 16/37] feat(profile): add gnome-maps. --- apparmor.d/groups/gnome/gnome-maps | 50 ++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-maps diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps new file mode 100644 index 00000000..b04c0681 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-maps @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-maps /usr/share/gnome-maps/org.gnome.Maps +profile gnome-maps @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + audit @{bin}/gjs-console rix, + + owner @{user_pictures_dirs}/** rw, + + owner @{user_cache_dirs}/shumate/{,**} rw, + + owner @{user_cache_dirs}/shumate/ rw, + owner @{user_cache_dirs}/shumate/** rwlk, + + owner @{user_config_dirs}/shumate/ rw, + owner @{user_config_dirs}/shumate/** rwlk, + + owner @{user_share_dirs}/shumate/ rw, + owner @{user_share_dirs}/shumate/** rwlk, + + @{run}/mount/utab r, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} \ No newline at end of file From 12c4ab122b351bf5613d82107155619f5c10c946 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 12:32:31 +0100 Subject: [PATCH 17/37] feat(profile): add gnome-firmware. --- apparmor.d/groups/gnome/gnome-firmware | 29 ++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-firmware diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware new file mode 100644 index 00000000..e0faf16a --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-firmware +profile gnome-firmware @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + + @{exec_path} mr, + + include if exists +} \ No newline at end of file From 4d9ea026c7249c0a85786c0a6cbe5c195e2a8d36 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 13:49:51 +0100 Subject: [PATCH 18/37] feat(abs): add the fish shell abstraction. --- apparmor.d/abstractions/fish | 14 ++++++++++++++ apparmor.d/abstractions/shells | 1 + 2 files changed, 15 insertions(+) create mode 100644 apparmor.d/abstractions/fish diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish new file mode 100644 index 00000000..c5ed229c --- /dev/null +++ b/apparmor.d/abstractions/fish @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction is only required when an interactive shell is started. +# Classic shell scripts do not need it. + + /usr/share/fish/{,**} r, + + /etc/fish/{,**} r, + + owner @{user_config_dirs}/fish/{,**} r, + + include if exists diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index 23c447dc..5583f599 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -6,6 +6,7 @@ # Classic shell scripts do not need it. include + include include include if exists From db87c56f37e8cc97a41186da48e663d078a62ac3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 14:22:42 +0100 Subject: [PATCH 19/37] feat(profile): general update. --- apparmor.d/groups/freedesktop/plymouthd | 4 ++-- apparmor.d/groups/freedesktop/xprop | 2 +- apparmor.d/groups/freedesktop/xsetroot | 2 ++ apparmor.d/groups/kde/baloorunner | 2 ++ apparmor.d/groups/kde/dolphin | 13 ++++++++++--- apparmor.d/groups/kde/konsole | 7 ++++--- apparmor.d/groups/kde/kwin_wayland | 5 ++++- apparmor.d/groups/kde/plasmashell | 3 ++- apparmor.d/groups/kde/sddm | 3 +++ apparmor.d/groups/kde/sddm-greeter | 1 + apparmor.d/groups/pacman/mkinitcpio | 3 ++- .../groups/systemd/systemd-generator-gpt-auto | 1 + apparmor.d/groups/systemd/systemd-hostnamed | 1 + apparmor.d/groups/systemd/systemd-shutdown | 3 +++ apparmor.d/profiles-a-f/cups-backend-usb | 2 ++ apparmor.d/profiles-m-r/plocate | 1 + apparmor.d/profiles-s-z/smbspool | 18 ++++++++++++++++++ apparmor.d/profiles-s-z/sudo | 1 + apparmor.d/profiles-s-z/udisksd | 3 +++ apparmor.d/profiles-s-z/whatis | 4 ++++ apparmor.d/profiles-s-z/zpool | 7 +++++-- 21 files changed, 72 insertions(+), 14 deletions(-) create mode 100644 apparmor.d/profiles-s-z/smbspool diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 3fbb2389..0b3fac14 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -10,7 +10,8 @@ include profile plymouthd @{exec_path} { include include - include + include + include capability checkpoint_restore, capability dac_override, @@ -52,7 +53,6 @@ profile plymouthd @{exec_path} { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/graphics/ r, - @{sys}/devices/@{pci}/{,uevent,vendor,device} r, @{sys}/devices/virtual/graphics/fbcon/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index c9698ba1..dd837aa5 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xprop -profile xprop @{exec_path} { +profile xprop @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 34490cc9..31851f76 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -14,6 +14,8 @@ profile xsetroot @{exec_path} { capability dac_read_search, + signal (receive) set=(kill) peer=sddm, + @{exec_path} mr, /usr/share/icons/{,**} r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 54282725..ad3ef62e 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -30,5 +30,7 @@ profile baloorunner @{exec_path} { @{PROC}/sys/kernel/core_pattern r, + /dev/tty r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 5e5381da..7883ee7c 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -15,6 +15,7 @@ profile dolphin @{exec_path} { include include include + include include include include @@ -45,9 +46,15 @@ profile dolphin @{exec_path} { # Full access to user's data / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, - - /var/lib/flatpak/exports/share/mime/ r, + owner @{run}/user/@{uid}/{,**} rw, + owner /tmp/{,**} rw, # Silence non user's data deny /boot/{,**} r, @@ -65,7 +72,7 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/session/ rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index b3c2853f..1e1043cf 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -36,23 +36,24 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/sounds/** r, /etc/xdg/konsolerc r, + /etc/xdg/kshorturifilterrc r, /etc/xdg/menus/{,**} r, /etc/xdg/ui/ui_standards.rc r, owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{user_config_dirs}/#@{int} rwl, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/** rwlk, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 6b570b1d..9a513c62 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -52,6 +52,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/machine-id r, /var/lib/dbus/machine-id r, + / r, + owner @{HOME}/ r, + owner @{sddm_cache_dirs}/#@{int} rwk, owner @{sddm_cache_dirs}/fontconfig/* rwk, owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.LCK l -> @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.TMP-@{rand6}, @@ -73,7 +76,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/kwin/ rw, - owner @{user_cache_dirs}/kwin/** rwl -> @{user_cache_dirs}/kwin/**, + owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f50ced75..b4847565 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -78,8 +78,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/fstab r, /etc/ksysguarddrc r, /etc/machine-id r, - /etc/sensors3.conf r, + /etc/os-release r, /etc/sensors.d/ r, + /etc/sensors3.conf r, /etc/xdg/** r, /var/lib/AccountsService/icons/* r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index adc56bae..3a297730 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -42,6 +42,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(hup) peer=@{p_systemd}, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, + signal (send) set=(kill, term) peer=xsetroot, signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, @@ -76,6 +77,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/disable-paste rix, @{bin}/locale rix, @{bin}/manpath rix, + @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, @@ -151,6 +153,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw, owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw, + owner @{HOME}/ r, owner @{HOME}/.local/ w, owner @{HOME}/.Xauthority rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f19aaf47..1944a52f 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -37,6 +37,7 @@ profile sddm-greeter @{exec_path} { /usr/share/hunspell/** r, /etc/fstab r, + /etc/os-release r, /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index c5a1b83c..960b8779 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -76,9 +76,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/locale.conf r, /etc/lvm/lvm.conf r, /etc/mkinitcpio.conf r, - /etc/mkinitcpio.d/{,**} r, /etc/mkinitcpio.conf.d/{,**} r, + /etc/mkinitcpio.d/{,**} r, /etc/modprobe.d/{,*} r, + /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto index b1b9fbc9..5ae2b926 100644 --- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto @@ -20,6 +20,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { /boot/ r, /efi/ r, /etc/fstab r, + /usr/ r, @{run}/systemd/generator.late/**.{,auto}mount w, @{run}/systemd/generator.late/local-fs.target.wants/ w, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index b4efcdc5..d37284ec 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -32,6 +32,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/.#machine-info@{rand6} rw, /etc/machine-id r, /etc/machine-info rw, + /etc/os-release r, @{run}/systemd/default-hostname rw, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index 6de9639c..bdb8825b 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -17,6 +17,8 @@ profile systemd-shutdown @{exec_path} { capability sys_ptrace, capability sys_resource, + mount options=(rw rprivate) -> /, + signal (send) set=(stop, cont, term, kill), signal (receive) set=(rtmin+23) peer=plymouthd, @@ -24,6 +26,7 @@ profile systemd-shutdown @{exec_path} { @{PROC}/ r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/sys/kernel/core_pattern w, diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb index c7beb7cc..ec059f65 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -11,6 +11,8 @@ profile cups-backend-usb @{exec_path} { include include + capability net_admin, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index 82617fc6..21a27e43 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/plocate profile plocate @{exec_path} { include + include # For running as root capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool new file mode 100644 index 00000000..4ae50fbb --- /dev/null +++ b/apparmor.d/profiles-s-z/smbspool @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/smbspool +profile smbspool @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 4d92f30b..e3c2f1d4 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -14,6 +14,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { include capability chown, + capability fowner, capability mknod, capability sys_ptrace, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 4529c2c5..cbe3a79b 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -47,6 +47,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount options=(rw move) -> @{MOUNTS}/, + mount options=(rw move) -> @{MOUNTS}/*/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index b1295df1..db62117f 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Zane Zakraisek +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -24,5 +25,8 @@ profile whatis @{exec_path} { owner @{HOME}/.manpath r, + owner @{user_share_dirs}/man/{,**/}{,whatis} r, + owner @{user_share_dirs}/man/{,**/}index.{bt,db,dir,pag} rk, + include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e5aff51c..aad07309 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -18,15 +18,18 @@ profile zpool @{exec_path} { @{sh_path} rix, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + /usr/share/zfs/{,**} r, + /etc/hostid r, /etc/zfs/*.cache rwk, + /tmp/tmp.* rw, + @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old rwl, @{run}/blkid/blkid.tab-@{rand6} rwl, - /tmp/tmp.* rw, - + @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, From 511ba6c6a9758f534736ffe3d425e6ad9cc8ddda Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 18:25:11 +0100 Subject: [PATCH 20/37] feat(aa-log): filter journactl log --- pkg/logs/loggers.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index faa76a1f..a46471ac 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -75,8 +75,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { } scanner = bufio.NewScanner(file) } else { - // journalctl -b -o json --output-fields=MESSAGE > systemd.log - cmd := exec.Command("journalctl", "--boot", "--output=json", "--output-fields=MESSAGE") + // journalctl -b -o json --grep=AVC --output-fields=MESSAGE > systemd.log + cmd := exec.Command("journalctl", "--boot", "--grep=AVC", "--output=json", "--output-fields=MESSAGE") cmd.Stdout = &stdout if err := cmd.Run(); err != nil { return nil, err From 0bbbe71422e906c4cedda0e8e95ee62b7b7e8f25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 May 2024 21:42:33 +0100 Subject: [PATCH 21/37] feat(tunable): add the new @{tmp} variable Mostly used to handle libpam-tmpdir. See #318 #320 --- apparmor.d/tunables/multiarch.d/system | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 68efe0b7..330d4fee 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,6 +56,9 @@ @{bin}=/{,usr/}{,s}bin @{lib}=/{,usr/}lib{,exec,32,64} +# Common places for temporary files +@{tmp}=/tmp/ /tmp/user/@{uid}/ + # Udev data dynamic assignment ranges @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 From 3f69b9fec417f4d2b945f9d88ef772d44885d441 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 May 2024 22:12:02 +0100 Subject: [PATCH 22/37] feat(profile): use the new @{tmp} variable. It is only used with the owner statement. --- apparmor.d/abstractions/X-strict | 2 +- apparmor.d/abstractions/app/chromium | 18 +++---- apparmor.d/abstractions/bus-session | 4 +- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/common/apt | 5 +- apparmor.d/abstractions/common/bwrap | 4 +- apparmor.d/abstractions/common/chromium | 12 ++--- apparmor.d/abstractions/common/electron | 16 +++---- apparmor.d/groups/_full/default | 2 +- .../groups/akonadi/akonadi_mailfilter_agent | 4 +- apparmor.d/groups/apps/calibre | 10 ++-- apparmor.d/groups/apps/discord | 6 +-- apparmor.d/groups/apps/dropbox | 16 +++---- apparmor.d/groups/apps/filezilla | 6 +-- apparmor.d/groups/apps/flameshot | 6 +-- apparmor.d/groups/apps/telegram-desktop | 2 +- apparmor.d/groups/apps/zathura | 2 +- apparmor.d/groups/apt/apt | 14 +++--- apparmor.d/groups/apt/apt-config | 2 +- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/apt-key | 8 ++-- .../groups/apt/apt-listbugs-migratepins | 6 +-- apparmor.d/groups/apt/apt-listchanges | 22 ++++----- apparmor.d/groups/apt/apt-methods-gpgv | 6 +-- apparmor.d/groups/apt/apt-methods-http | 4 +- apparmor.d/groups/apt/apt-methods-store | 2 +- apparmor.d/groups/apt/aptitude | 20 ++++---- .../groups/apt/aptitude-run-state-bundle | 2 +- apparmor.d/groups/apt/debsign | 8 ++-- apparmor.d/groups/apt/dpkg | 2 +- apparmor.d/groups/apt/dpkg-architecture | 2 +- apparmor.d/groups/apt/dpkg-deb | 8 ++-- apparmor.d/groups/apt/dpkg-preconfigure | 4 +- apparmor.d/groups/apt/reportbug | 6 +-- apparmor.d/groups/apt/synaptic | 4 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/browsers/brave | 6 +-- apparmor.d/groups/browsers/chromium-wrapper | 6 +-- apparmor.d/groups/browsers/firefox | 47 +++++++++---------- .../groups/browsers/firefox-crashreporter | 4 +- apparmor.d/groups/browsers/firefox-glxtest | 2 +- .../groups/browsers/firefox-minidump-analyzer | 4 +- apparmor.d/groups/browsers/firefox-vaapitest | 2 +- apparmor.d/groups/browsers/msedge | 4 +- apparmor.d/groups/cron/cron | 4 +- apparmor.d/groups/cron/cron-apt | 16 +++---- .../groups/cron/cron-popularity-contest | 16 +++---- apparmor.d/groups/cron/crontab | 4 +- .../groups/display-manager/x11-xsession | 9 ++-- .../groups/display-manager/xdm-xsession | 4 +- apparmor.d/groups/freedesktop/accounts-daemon | 2 +- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pipewire-pulse | 2 +- .../polkit-kde-authentication-agent | 4 +- .../groups/freedesktop/xdg-desktop-portal | 2 +- .../freedesktop/xdg-desktop-portal-gnome | 4 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- .../groups/freedesktop/xdg-icon-resource | 2 +- apparmor.d/groups/freedesktop/xdg-screensaver | 2 +- apparmor.d/groups/freedesktop/xkbcomp | 2 +- apparmor.d/groups/freedesktop/xorg | 8 ++-- apparmor.d/groups/freedesktop/xrdb | 12 ++--- apparmor.d/groups/freedesktop/xsetroot | 2 +- apparmor.d/groups/freedesktop/xwayland | 2 +- .../groups/gnome/epiphany-search-provider | 4 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gio-launch-desktop | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- .../groups/gnome/gnome-desktop-thumbnailers | 8 ++-- .../groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-music | 2 +- apparmor.d/groups/gnome/gnome-shell | 4 +- apparmor.d/groups/gnome/gnome-software | 10 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/kgx | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/tracker-extract | 4 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/gpg/gpg | 6 +-- apparmor.d/groups/gpg/gpg-agent | 10 ++-- apparmor.d/groups/gpg/gpg-connect-agent | 6 +-- apparmor.d/groups/grub/grub-check-signatures | 2 +- apparmor.d/groups/kde/baloo | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/kcminit | 8 ++-- apparmor.d/groups/kde/kconf_update | 6 +-- apparmor.d/groups/kde/kded | 6 +-- apparmor.d/groups/kde/kioworker | 4 +- apparmor.d/groups/kde/konsole | 4 +- apparmor.d/groups/kde/kscreenlocker_greet | 2 +- apparmor.d/groups/kde/ksmserver | 2 +- apparmor.d/groups/kde/kwalletd | 2 +- apparmor.d/groups/kde/kwin_x11 | 4 +- apparmor.d/groups/kde/okular | 4 +- apparmor.d/groups/kde/plasma-discover | 14 +++--- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 6 +-- apparmor.d/groups/kde/sddm-greeter | 4 +- apparmor.d/groups/kde/sddm-xsession | 4 +- apparmor.d/groups/kde/startplasma | 4 +- apparmor.d/groups/kde/xembedsniproxy | 2 +- apparmor.d/groups/kde/xsettingsd | 2 +- apparmor.d/groups/network/mullvad-daemon | 4 +- apparmor.d/groups/network/mullvad-gui | 2 +- apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/pacman/mkinitcpio | 4 +- apparmor.d/groups/pacman/pacman | 6 +-- apparmor.d/groups/ssh/ssh | 2 +- apparmor.d/groups/ssh/ssh-agent | 4 +- apparmor.d/groups/systemd/coredumpctl | 4 +- apparmor.d/groups/systemd/systemd-analyze | 2 +- apparmor.d/groups/systemd/systemd-dissect | 2 +- .../groups/ubuntu/software-properties-dbus | 6 +-- .../groups/ubuntu/software-properties-gtk | 6 +-- apparmor.d/groups/ubuntu/ubuntu-advantage | 6 +-- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/groups/virt/containerd | 2 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/whonix/sdwdate-start | 2 +- apparmor.d/groups/whonix/torbrowser | 24 +++++----- apparmor.d/groups/whonix/torbrowser-glxtest | 2 +- .../whonix/torbrowser-updater-permission-fix | 2 +- apparmor.d/groups/whonix/torbrowser-vaapitest | 2 +- apparmor.d/groups/whonix/torbrowser-wrapper | 3 +- apparmor.d/groups/xfce/thunar | 2 +- apparmor.d/groups/xfce/xfce-session | 3 +- apparmor.d/groups/xfce/xfce-terminal | 2 +- apparmor.d/profiles-a-f/aa-notify | 4 +- apparmor.d/profiles-a-f/adb | 2 +- apparmor.d/profiles-a-f/anacron | 4 +- apparmor.d/profiles-a-f/anyremote | 10 ++-- apparmor.d/profiles-a-f/apparmor_parser | 2 +- apparmor.d/profiles-a-f/appstreamcli | 6 +-- apparmor.d/profiles-a-f/arduino | 24 +++++----- apparmor.d/profiles-a-f/arduino-builder | 8 ++-- apparmor.d/profiles-a-f/arduino-ctags | 4 +- apparmor.d/profiles-a-f/atril | 8 ++-- apparmor.d/profiles-a-f/augenrules | 2 +- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/borg | 12 ++--- apparmor.d/profiles-a-f/browserpass | 2 +- apparmor.d/profiles-a-f/btrfs | 2 +- apparmor.d/profiles-a-f/check-support-status | 4 +- .../profiles-a-f/check-support-status-hook | 8 ++-- apparmor.d/profiles-a-f/claws-mail | 6 +-- apparmor.d/profiles-a-f/code | 6 +-- .../profiles-a-f/code-extension-git-askpass | 2 +- apparmor.d/profiles-a-f/conky | 2 +- apparmor.d/profiles-a-f/cpuid | 2 +- apparmor.d/profiles-a-f/cups-notifier-dbus | 2 +- .../profiles-a-f/cups-pk-helper-mechanism | 2 +- apparmor.d/profiles-a-f/cupsd | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 8 ++-- apparmor.d/profiles-a-f/dhclient-script | 4 +- apparmor.d/profiles-a-f/dkms | 12 ++--- apparmor.d/profiles-a-f/dlocate | 2 +- apparmor.d/profiles-a-f/dmidecode | 2 +- apparmor.d/profiles-a-f/downloadhelper | 2 +- apparmor.d/profiles-a-f/dumpcap | 4 +- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-a-f/etckeeper | 2 +- apparmor.d/profiles-a-f/evince | 6 +-- apparmor.d/profiles-a-f/evince-thumbnailer | 4 +- apparmor.d/profiles-a-f/ffmpeg | 4 +- apparmor.d/profiles-a-f/flatpak | 6 +-- apparmor.d/profiles-a-f/flatpak-system-helper | 6 +-- apparmor.d/profiles-a-f/frontend | 4 +- apparmor.d/profiles-g-l/gajim | 6 +-- apparmor.d/profiles-g-l/git | 26 +++++----- apparmor.d/profiles-g-l/gpa | 2 +- apparmor.d/profiles-g-l/gpartedbin | 2 +- apparmor.d/profiles-g-l/hardinfo | 6 +-- apparmor.d/profiles-g-l/hugo | 4 +- apparmor.d/profiles-g-l/hw-probe | 4 +- apparmor.d/profiles-g-l/hwinfo | 6 +-- apparmor.d/profiles-g-l/i3lock | 2 +- apparmor.d/profiles-g-l/i3lock-fancy | 8 ++-- apparmor.d/profiles-g-l/jdownloader | 16 +++---- apparmor.d/profiles-g-l/jmtpfs | 4 +- apparmor.d/profiles-g-l/keepassxc | 16 +++---- apparmor.d/profiles-g-l/kernel-install | 2 +- apparmor.d/profiles-g-l/kmod | 6 +-- apparmor.d/profiles-g-l/linssid | 6 +-- apparmor.d/profiles-g-l/linux-check-removal | 2 +- apparmor.d/profiles-g-l/lynx | 4 +- apparmor.d/profiles-m-r/man | 2 +- apparmor.d/profiles-m-r/merkaartor | 4 +- apparmor.d/profiles-m-r/minitube | 8 ++-- apparmor.d/profiles-m-r/mkvmerge | 4 +- apparmor.d/profiles-m-r/mkvtoolnix-gui | 10 ++-- apparmor.d/profiles-m-r/modprobed-db | 4 +- apparmor.d/profiles-m-r/mono-sgen | 4 +- apparmor.d/profiles-m-r/mpsyt | 6 +-- apparmor.d/profiles-m-r/mpv | 10 ++-- apparmor.d/profiles-m-r/nmap | 4 +- apparmor.d/profiles-m-r/ntfsdecrypt | 2 +- apparmor.d/profiles-m-r/ntfsundelete | 4 +- apparmor.d/profiles-m-r/ntfsusermap | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/packagekitd | 6 +-- apparmor.d/profiles-m-r/pam-tmpdir-helper | 4 +- apparmor.d/profiles-m-r/pass | 4 +- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/pinentry-qt | 2 +- apparmor.d/profiles-m-r/popularity-contest | 2 +- apparmor.d/profiles-m-r/psi | 4 +- apparmor.d/profiles-m-r/psi-plus | 4 +- apparmor.d/profiles-m-r/qbittorrent | 22 ++++----- apparmor.d/profiles-m-r/qbittorrent-nox | 14 +++--- apparmor.d/profiles-m-r/qnapi | 18 +++---- apparmor.d/profiles-m-r/qpdfview | 6 +-- apparmor.d/profiles-m-r/qtox | 2 +- apparmor.d/profiles-m-r/quiterss | 4 +- apparmor.d/profiles-m-r/repo | 6 +-- apparmor.d/profiles-m-r/run-parts | 6 +-- apparmor.d/profiles-m-r/runuser | 2 +- apparmor.d/profiles-s-z/YACReaderLibrary | 2 +- apparmor.d/profiles-s-z/s3fs | 4 +- apparmor.d/profiles-s-z/sanoid | 2 +- apparmor.d/profiles-s-z/smplayer | 10 ++-- apparmor.d/profiles-s-z/snap | 2 +- apparmor.d/profiles-s-z/snap-update-ns | 2 +- .../profiles-s-z/spectre-meltdown-checker | 18 +++---- apparmor.d/profiles-s-z/ss | 2 +- apparmor.d/profiles-s-z/startx | 2 +- apparmor.d/profiles-s-z/steam | 14 +++--- apparmor.d/profiles-s-z/steam-game | 8 ++-- apparmor.d/profiles-s-z/steam-gameoverlayui | 6 +-- apparmor.d/profiles-s-z/strawberry | 14 +++--- apparmor.d/profiles-s-z/swtpm_setup | 6 +-- apparmor.d/profiles-s-z/syncoid | 2 +- apparmor.d/profiles-s-z/system-config-printer | 2 +- apparmor.d/profiles-s-z/tasksel | 4 +- apparmor.d/profiles-s-z/terminator | 2 +- apparmor.d/profiles-s-z/thunderbird | 16 +++---- apparmor.d/profiles-s-z/thunderbird-glxtest | 2 +- apparmor.d/profiles-s-z/thunderbird-vaapitest | 2 +- apparmor.d/profiles-s-z/tint2 | 2 +- apparmor.d/profiles-s-z/transmission-qt | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/unmkinitramfs | 4 +- .../profiles-s-z/update-ca-certificates | 2 +- apparmor.d/profiles-s-z/update-cracklib | 2 +- apparmor.d/profiles-s-z/vcsi | 2 +- apparmor.d/profiles-s-z/vidcutter | 8 ++-- apparmor.d/profiles-s-z/whiptail | 2 +- apparmor.d/profiles-s-z/wireshark | 2 +- apparmor.d/profiles-s-z/wl-copy | 2 +- apparmor.d/profiles-s-z/wpa-cli | 2 +- apparmor.d/profiles-s-z/wpa-gui | 2 +- apparmor.d/profiles-s-z/xarchiver | 2 +- apparmor.d/profiles-s-z/xauth | 16 +++---- apparmor.d/profiles-s-z/xclip | 4 +- apparmor.d/profiles-s-z/xinit | 4 +- apparmor.d/profiles-s-z/xsel | 2 +- apparmor.d/profiles-s-z/zed | 2 +- apparmor.d/profiles-s-z/zenmap | 4 +- 257 files changed, 668 insertions(+), 685 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4ab629d7..b33ba0b4 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -19,7 +19,7 @@ /tmp/.ICE-unix/* rw, /tmp/.X@{int}-lock rw, /tmp/.X11-unix/* rw, - owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int}, + owner @{tmp}/xauth_@{rand6} rl -> /tmp/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index fc5ef673..3b106c6e 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -151,17 +151,13 @@ /tmp/ r, /var/tmp/ r, - owner /tmp/.@{domain}.* rw, - owner /tmp/.@{domain}*/{,**} rw, - owner /tmp/@{name}-crashlog-@{int}-@{int}.txt rw, - owner /tmp/scoped_dir*/{,**} rw, - owner /tmp/tmp.* rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, - - # libpam-tmpdir support - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/** rwk, + owner @{tmp}/.@{domain}.* rw, + owner @{tmp}/.@{domain}*/{,**} rw, + owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, + owner @{tmp}/scoped_dir*/{,**} rw, + owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/** rwk, /dev/shm/ r, owner /dev/shm/.@{domain}* rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 7507dee5..f8d6ba37 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -19,8 +19,8 @@ /etc/machine-id r, /var/lib/dbus/machine-id r, - owner /tmp/dbus-@{rand8} rw, - owner /tmp/dbus-@{rand10} rw, + owner @{tmp}/dbus-@{rand8} rw, + owner @{tmp}/dbus-@{rand10} rw, owner @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a1180f97..965f7146 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -53,7 +53,7 @@ owner @{user_share_dirs}/** rwkl, owner @{user_games_dirs}/{,**} rm, - owner /tmp/** rmwk, + owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, @{run}/cups/cups.sock rw, # Allow access to cups printing socket. diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index bfded36b..baa14757 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -25,8 +25,7 @@ /var/lib/dpkg/status r, /var/lib/ubuntu-advantage/apt-esm/{,**} r, - owner /tmp/#@{int} rw, - owner /tmp/clearsigned.message.* rw, - owner /tmp/user/@{uid}/#@{int} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/clearsigned.message.* rw, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f2e76bcd..858acb47 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -37,8 +37,8 @@ owner / r, owner /newroot/{,**} w, - owner /tmp/newroot/ w, - owner /tmp/oldroot/ w, + owner @{tmp}/newroot/ w, + owner @{tmp}/oldroot/ w, @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 27edc85f..1fc1d155 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -24,12 +24,12 @@ /tmp/ r, /var/tmp/ r, - owner /tmp/.org.chromium.Chromium.* rw, - owner /tmp/.org.chromium.Chromium.*/{,**} rw, - owner /tmp/scoped_dir*/ rw, - owner /tmp/scoped_dir*/SingletonCookie w, - owner /tmp/scoped_dir*/SingletonSocket w, - owner /tmp/scoped_dir*/SS w, + owner @{tmp}/.org.chromium.Chromium.* rw, + owner @{tmp}/.org.chromium.Chromium.*/{,**} rw, + owner @{tmp}/scoped_dir*/ rw, + owner @{tmp}/scoped_dir*/SingletonCookie w, + owner @{tmp}/scoped_dir*/SingletonSocket w, + owner @{tmp}/scoped_dir*/SS w, /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 3862765b..c8541282 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -50,14 +50,14 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner /tmp/.org.chromium.Chromium.@{rand6} rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/ rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner /tmp/scoped_dir@{rand6}/ rw, - owner /tmp/scoped_dir@{rand6}/SingletonCookie w, - owner /tmp/scoped_dir@{rand6}/SingletonSocket w, - owner /tmp/scoped_dir@{rand6}/SS w, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/ rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index a92304d1..0b6b72f1 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -72,7 +72,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/{,**} rw, owner @{user_config_dirs}/** rwkl, owner @{user_share_dirs}/** rwkl, - owner /tmp/{,**} rwk, + owner @{tmp}/{,**} rwk, owner @{run}/user/@{uid}/{,**} rw, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 53a6fc02..80594c6b 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -49,8 +49,8 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/kwinrc r, - owner /tmp/#@{int} rw, - owner /tmp/akonadi_mailfilter_agent.* rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/akonadi_mailfilter_agent.* rwl, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index bcc0cf92..fe3867af 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -95,12 +95,10 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/gstreamer-@{int}/ rw, owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, - owner /tmp/calibre_*_tmp_*/{,**} rw, - owner /tmp/calibre-*/{,**} rw, - owner /tmp/@{int}-*/ rw, - owner /tmp/@{int}-*/** rwl, -# owner /tmp/@{int}-*/** rwl -> /tmp/@{int}-*/**, # newer AA version - owner /tmp/* rw, + owner @{tmp}/calibre_*_tmp_*/{,**} rw, + owner @{tmp}/calibre-*/{,**} rw, + owner @{tmp}/@{int}-*/ rw, + owner @{tmp}/@{int}-*/** rwl, owner /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index e7eda5c3..c703ff35 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -34,9 +34,9 @@ profile discord @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - owner /tmp/net-export/ rw, - owner /tmp/discord.sock rw, - owner "/tmp/Discord Crashes/" rw, + owner @{tmp}/net-export/ rw, + owner @{tmp}/discord.sock rw, + owner "@{tmp}/Discord Crashes/" rw, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 9853bd50..c960e62f 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -60,11 +60,11 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}objdump rix, # Needed for updating Dropbox - owner /tmp/.dropbox-dist-new-*/{,**} rw, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw, + owner @{tmp}/.dropbox-dist-new-*/{,**} rw, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw, owner @{HOME}/.dropbox-dist-old*/{,**} rw, owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw, @@ -105,9 +105,9 @@ profile dropbox @{exec_path} { @{PROC}/vmstat r, # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead - owner /tmp/dropbox-antifreeze-* rw, - owner /tmp/[a-zA-z0-9]* rw, - owner /tmp/#@{int} rw, + owner @{tmp}/dropbox-antifreeze-* rw, + owner @{tmp}/[a-zA-z0-9]* rw, + owner @{tmp}/#@{int} rw, owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index 20f90561..cc099ce4 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -49,9 +49,9 @@ profile filezilla @{exec_path} { # Creating new files on FTP /tmp/ r, - owner /tmp/fz[0-9]temp-@{int}/ rw, - owner /tmp/fz[0-9]temp-@{int}/fz*-lockfile rwk, - owner /tmp/fz[0-9]temp-@{int}/empty_file_* rw, + owner @{tmp}/fz[0-9]temp-@{int}/ rw, + owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk, + owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw, # External apps @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index d55481cf..d4d16144 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -50,9 +50,9 @@ profile flameshot @{exec_path} { /usr/share/hwdata/pnp.ids r, - owner /tmp/.*/{,s} rw, - owner /tmp/*= rw, - owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner @{tmp}/.*/{,s} rw, + owner @{tmp}/*= rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, deny owner @{PROC}/@{pid}/cmdline r, deny @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index d2969426..6b9fbdf7 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -60,7 +60,7 @@ profile telegram-desktop @{exec_path} { # Autostart owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - owner /tmp/@{hex}-* rwk, + owner @{tmp}/@{hex}-* rwk, owner @{run}/user/@{uid}/@{hex}-* rwk, /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/apps/zathura b/apparmor.d/groups/apps/zathura index aaa939e5..0c86abde 100644 --- a/apparmor.d/groups/apps/zathura +++ b/apparmor.d/groups/apps/zathura @@ -25,7 +25,7 @@ profile zathura @{exec_path} { owner @{user_config_dirs}/zathura/** r, owner @{user_share_dirs}/zathura/** rwk, - owner /tmp/gtkprint* rw, + owner @{tmp}/gtkprint* rw, include if exists } diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 52afd575..f241df38 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -136,11 +136,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, - owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, - owner /tmp/apt.conf.* rw, - owner /tmp/apt.data.* rw, + owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/apt.conf.* rw, + owner @{tmp}/apt.data.* rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, @@ -187,8 +187,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.less* rw, - owner /tmp/apt-changelog-*/ r, - owner /tmp/apt-changelog-*/*.changelog r, + owner @{tmp}/apt-changelog-*/ r, + owner @{tmp}/apt-changelog-*/*.changelog r, include if exists } diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 0053232f..52227b9b 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -17,7 +17,7 @@ profile apt-config @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner /tmp/tmp*/apt.conf r, + owner @{tmp}/tmp*/apt.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index c93f890d..ad1f85de 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -27,7 +27,7 @@ profile apt-extracttemplates @{exec_path} { owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner /tmp/*.{config,template}.@{rand6} rw, + owner @{tmp}/*.{config,template}.@{rand6} rw, owner /var/cache/debconf/tmp.ci/*.{config,template}.@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2334e30d..39ca7d4e 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -56,7 +56,7 @@ profile apt-key @{exec_path} { /etc/apt/trusted.gpg.d/{,*.gpg,*.asc} r, /tmp/ r, - owner /tmp/apt-key-gpghome.*/{,**} rw, + owner @{tmp}/apt-key-gpghome.*/{,**} rw, profile gpg { @@ -93,9 +93,9 @@ profile apt-key @{exec_path} { /etc/apt/trusted.gpg.d/*.gpg r, /etc/apt/trusted.gpg.d/*.gpg.lock rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}, - owner /tmp/apt-key-gpghome.*/ rw, - owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, - owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, + owner @{tmp}/apt-key-gpghome.*/ rw, + owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index ffb2d4c8..92c97cc1 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -25,9 +25,9 @@ profile apt-listbugs-migratepins @{exec_path} { /etc/apt/preferences r, - owner /tmp/pin_migration_*-@{pid}-*/ w, - owner /tmp/pin_migration_*-@{pid}-*/preferences w, - owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w, + owner @{tmp}/pin_migration_*-@{pid}-*/ w, + owner @{tmp}/pin_migration_*-@{pid}-*/preferences w, + owner @{tmp}/pin_migration_*-@{pid}-*/apt-listbugs w, include if exists } diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index ba7038db..3f4890b3 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -53,16 +53,16 @@ profile apt-listchanges @{exec_path} { owner @{PROC}/@{pid}/fd/ r, /tmp/ r, - owner /tmp/* rw, - owner /tmp/apt-listchanges*/ rw, - owner /tmp/apt-listchanges*/**/ rw, - owner /tmp/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, + owner @{tmp}/* rw, + owner @{tmp}/apt-listchanges*/ rw, + owner @{tmp}/apt-listchanges*/**/ rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, # The following is needed when apt-listchanges uses debcconf GUI frontends. include @@ -96,7 +96,7 @@ profile apt-listchanges @{exec_path} { /root/ r, /tmp/ r, - owner /tmp/apt-listchanges-tmp*.txt r, + owner @{tmp}/apt-listchanges-tmp*.txt r, } diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index e85ab0ae..94f51aa9 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -81,9 +81,9 @@ profile apt-methods-gpgv @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/apt-key-gpghome.*/ rw, - owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, - owner /tmp/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt-key-gpghome.*/ rw, + owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner @{tmp}/apt.{conf,sig,data}.* rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7b27647a..1705e9dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -66,8 +66,8 @@ profile apt-methods-http @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/aptitude-root.*/aptitude-download-* rw, - owner /tmp/apt-changelog-*/*.changelog rw, + owner @{tmp}/aptitude-root.*/aptitude-download-* rw, + owner @{tmp}/apt-changelog-*/*.changelog rw, @{run}/ubuntu-advantage/aptnews.json rw, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index fe41d8ec..06f1bb10 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -53,7 +53,7 @@ profile apt-methods-store @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/apt-changelog-*/*.changelog{,.*} rw, + owner @{tmp}/apt-changelog-*/*.changelog{,.*} rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 09d3362f..6c204e63 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -98,9 +98,9 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt rPx, # For changelogs - owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, - owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, - owner /tmp/aptitude-*.@{pid}:*/parsedchangelog* w, + owner @{tmp}/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, + owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, + owner @{tmp}/aptitude-*.@{pid}:*/parsedchangelog* w, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, @@ -108,8 +108,8 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/sensible-pager rCx -> pager, # For aptitude-run-state-bundle - owner /tmp/aptitudebug.*/ r, - owner /tmp/aptitudebug.*/** rwk, + owner @{tmp}/aptitudebug.*/ r, + owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, /var/cache/apt-xapian-index/index.[0-9]/*.glass r, @@ -121,11 +121,11 @@ profile aptitude @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, /tmp/ r, - owner /tmp/aptitude-*.@{pid}:*/ rw, - owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw, /tmp/aptitude-*.@{pid}:*/pkgstates* r, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/aptitude-*.@{pid}:*/ rw, + owner @{tmp}/aptitude-*.@{pid}:*/{pkgstates,control}* rw, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, /var/cache/apt/ r, /var/cache/apt/** rwk, @@ -180,7 +180,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{HOME}/.less* rw, - owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, + owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, # For shell pwd /root/ r, diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle index 7e9ac716..330af646 100644 --- a/apparmor.d/groups/apt/aptitude-run-state-bundle +++ b/apparmor.d/groups/apt/aptitude-run-state-bundle @@ -24,7 +24,7 @@ profile aptitude-run-state-bundle @{exec_path} { @{bin}/aptitude-curses rPx, - owner /tmp/aptitudebug.*/{,**} rw, + owner @{tmp}/aptitudebug.*/{,**} rw, include if exists } diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index d5dbe9bb..c15be86e 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -41,8 +41,8 @@ profile debsign @{exec_path} { owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner /tmp/debsign.*/ rw, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, + owner @{tmp}/debsign.*/ rw, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, profile gpg { include @@ -52,8 +52,8 @@ profile debsign @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo} r, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo}.asc rw, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw, } diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 0f60c730..0402418d 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -67,7 +67,7 @@ profile dpkg @{exec_path} { /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, - owner /tmp/apt-dpkg-install-*/ r, + owner @{tmp}/apt-dpkg-install-*/ r, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index 2ffaadc4..62351f92 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -29,7 +29,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, # file_inherit - owner /tmp/* rw, + owner @{tmp}/* rw, profile ccache { diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index b0ba38bf..a463d54e 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -25,13 +25,13 @@ profile dpkg-deb @{exec_path} { owner /var/lib/dpkg/tmp.ci/* w, # For creating deb packages - owner /tmp/dpkg-deb.* rw, + owner @{tmp}/dpkg-deb.* rw, - owner /tmp/dpkg-deb.*/ rw, - owner /tmp/dpkg-deb.*/* rw, + owner @{tmp}/dpkg-deb.*/ rw, + owner @{tmp}/dpkg-deb.*/* rw, # For extracting deb packages to /tmp/ - owner /tmp/** rw, + owner @{tmp}/** rw, /var/cache/apt/archives/*.deb r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 14ec46d7..9d8d3330 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -39,8 +39,8 @@ profile dpkg-preconfigure @{exec_path} { /etc/inputrc r, /etc/shadow r, - owner /tmp/*.template.* rw, - owner /tmp/*.config.* rwPUx, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index eb91add8..cc2a5e84 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -77,8 +77,8 @@ profile reportbug @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner /tmp/* rw, - owner /tmp/reportbug-*-@{int}-@{pid}-* rw, + owner @{tmp}/* rw, + owner @{tmp}/reportbug-*-@{int}-@{pid}-* rw, owner /var/tmp/*.bug{,~} rw, @{sys}/module/apparmor/parameters/enabled r, @@ -101,7 +101,7 @@ profile reportbug @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/reportbug-*-{signed,unsigned}-* rw, + owner @{tmp}/reportbug-*-{signed,unsigned}-* rw, owner @{HOME}/draftbugreports/reportbug-*-{signed,unsigned}-* rw, include if exists diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index fca72cb7..2423ff3d 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -132,8 +132,8 @@ profile synaptic @{exec_path} { /etc/machine-id r, /tmp/ r, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, /var/cache/apt/ r, /var/cache/apt/** rwk, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index aa0b7bde..9ab8fc69 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -103,7 +103,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, - owner /tmp/apt-dpkg-install-*/{,*} rw, + owner @{tmp}/apt-dpkg-install-*/{,*} rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index af3ea866..b88df258 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -37,10 +37,10 @@ profile brave @{exec_path} { owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, owner @{cache_dirs}/BraveSoftware/ rw, - owner /tmp/net-export/ rw, # For brave://net-export/ + owner @{tmp}/net-export/ rw, # For brave://net-export/ - owner /tmp/.org.chromium.Chromium.* rwk, - owner /tmp/.org.chromium.Chromium*/{,**} rw, + owner @{tmp}/.org.chromium.Chromium.* rwk, + owner @{tmp}/.org.chromium.Chromium*/{,**} rw, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index f3037f5b..818c9dce 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -38,9 +38,9 @@ profile chromium-wrapper @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/chromiumargs.@{rand6} rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, + owner @{tmp}/chromiumargs.@{rand6} rw, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/** rwk, owner /dev/tty@{int} rw, /dev/dri/card[0-9] rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index d3521ac0..db6c2676 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -155,32 +155,27 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/.xfsm-ICE-@{rand6} rw, - owner /tmp/@{name}/ rw, - owner /tmp/@{name}/* rwk, - owner /tmp/@{rand6}.tmp r, - owner /tmp/@{rand8}.txt w, - owner /tmp/* w, # file downloads (to anywhere) - owner /tmp/firefox_*/ rw, - owner /tmp/firefox_*/* rwk, - owner /tmp/mozilla_*/ rw, - owner /tmp/mozilla_*/* rw, - owner /tmp/mozilla-temp-@{int} rw, - owner /tmp/Mozilla@{uuid}-cachePurge-??????????????? rwk, - owner /tmp/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, - owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, - owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, - owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk, - owner /tmp/Temp-@{uuid}/{**,} rw, - owner /tmp/tmp-???.xpi rw, - owner /tmp/tmpaddon r, - owner /tmp/tmpaddon-@{int} r, - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/@{name}/ rw, - owner /tmp/user/@{uid}/@{name}/* rwk, - owner /tmp/user/@{uid}/* rwk, - owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, - owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, + owner @{tmp}/.xfsm-ICE-@{rand6} rw, + owner @{tmp}/@{name}/ rw, + owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp r, + owner @{tmp}/@{rand8}.txt w, + owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/firefox_*/ rw, + owner @{tmp}/firefox_*/* rwk, + owner @{tmp}/mozilla_*/ rw, + owner @{tmp}/mozilla_*/* rw, + owner @{tmp}/mozilla-temp-@{int} rw, + owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, + owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/Temp-@{uuid}/** rwk, + owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon-@{int} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 2ba1f1f9..e6f8f6b6 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -46,8 +46,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/@{hex}.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, + owner @{tmp}/@{hex}.{dmp,extra} rw, + owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index b86b72a1..62338ee2 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -21,7 +21,7 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/firefox/*/.parentlock rw, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index e0634430..7c436755 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -34,8 +34,8 @@ profile firefox-minidump-analyzer @{exec_path} { owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r, - owner /tmp/@{hex}.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, + owner @{tmp}/@{hex}.{dmp,extra} rw, + owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index ea61658a..deb2735c 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -20,7 +20,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, deny @{config_dirs}/firefox/*/.parentlock rw, deny @{config_dirs}/firefox/*/startupCache/** r, diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index bab7a965..d129fc19 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -34,8 +34,8 @@ profile msedge @{exec_path} { owner @{user_cache_dirs}/Microsoft/ rw, owner @{user_cache_dirs}/Microsoft/** rwk, - owner /tmp/.ses rw, - owner /tmp/cv_debug.log rw, + owner @{tmp}/.ses rw, + owner @{tmp}/cv_debug.log rw, include if exists } diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 118e951e..5e8733b9 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -55,7 +55,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, @@ -71,7 +71,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { /etc/cron.*/ r, /etc/cron.*/* rPUx, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index c2d80609..4b0e1c57 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -75,16 +75,16 @@ profile cron-apt @{exec_path} { # TMP /tmp/ r, - owner /tmp/cron-apt.*/ rw, - owner /tmp/cron-apt.*/difftemp rw, - owner /tmp/cron-apt.*/lockfile rw, - owner /tmp/cron-apt.*/initlog rw, - owner /tmp/cron-apt.*/status rw, - owner /tmp/cron-apt.*/run{log,error,mail,syslog} rw, - owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw, + owner @{tmp}/cron-apt.*/ rw, + owner @{tmp}/cron-apt.*/difftemp rw, + owner @{tmp}/cron-apt.*/lockfile rw, + owner @{tmp}/cron-apt.*/initlog rw, + owner @{tmp}/cron-apt.*/status rw, + owner @{tmp}/cron-apt.*/run{log,error,mail,syslog} rw, + owner @{tmp}/cron-apt.*/action{log,error,mail,syslog} rw, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 0a0d2840..aadae9bf 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -54,11 +54,11 @@ profile cron-popularity-contest @{exec_path} { /var/lib/popularity-contest/ rw, /var/lib/popularity-contest/lastsub rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/random_seed w, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/random_seed w, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, profile savelog { @@ -83,7 +83,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest rw, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -107,7 +107,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.new w, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -124,10 +124,10 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int} r, /var/log/popularity-contest.@{int}.gpg rw, - owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**, + owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -152,7 +152,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int}.gpg r, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 28f90614..86e19b93 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -30,7 +30,7 @@ profile crontab @{exec_path} { /var/spool/cron/crontabs/ rw, owner /var/spool/cron/crontabs/* rw, - owner /tmp/crontab.*/{,crontab} rw, + owner @{tmp}/crontab.*/{,crontab} rw, profile editor { @@ -51,7 +51,7 @@ profile crontab @{exec_path} { owner @{HOME}/.viminfo{,.tmp} rw, /tmp/ r, - owner /tmp/crontab.*/crontab rw, + owner @{tmp}/crontab.*/crontab rw, # file_inherit /etc/cron.{allow,deny} r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 37d2d980..ad98cdef 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -65,9 +65,8 @@ profile x11-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/file* rw, - owner /tmp/tmp.@{rand10} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/file* rw, + owner @{tmp}/tmp.@{rand10} rw, profile ssh-agent { include @@ -88,8 +87,8 @@ profile x11-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, include if exists } diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 53cab22f..11f829df 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -75,8 +75,8 @@ profile xdm-xsession @{exec_path} { @{run}/user/@{uid}/xauth_@{rand6} rl, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index e36b4b21..616d7a1f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -75,7 +75,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { # wtmp.d ? /var/log/wtmp r, - owner /tmp/gnome-control-center-user-icon-@{rand6} rw, + owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 25785b33..29a8f790 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -49,7 +49,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/pipewire/{,**} r, - owner /tmp/librnnoise-@{int}.so rm, + owner @{tmp}/librnnoise-@{int}.so rm, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 13331e33..dc4d6822 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -32,7 +32,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, owner @{run}/user/@{uid}/pulse/pid w, - owner /tmp/librnnoise-@{int}.so rm, + owner @{tmp}/librnnoise-@{int}.so rm, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 3e8f651c..82bc555d 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -37,8 +37,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected) owner @{user_cache_dirs}/icon-cache.kcache rw, - owner /tmp/#@{int} rw, - owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ceea47f3..ade5d9f9 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -83,7 +83,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/kioslaverc r, - owner /tmp/icon* rw, + owner @{tmp}/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1084a534..a8ff71d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -72,8 +72,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{HOME}/*/{,**} rw, - owner /tmp/.goutputstream-@{rand6} rw, - owner /tmp/@{rand6} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/@{rand6} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 03d3bb35..2a2e07ca 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -62,7 +62,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/.icons/{,**} r, owner @{HOME}/@{XDG_DATA_DIR}/ r, - owner /tmp/runtime-*/xauth_@{rand6} r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 912c1835..7959a4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -33,7 +33,7 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { /usr/share/icons/*/.xdg-icon-resource-dummy rw, /usr/share/terminfo/** r, - owner /tmp/.com.google.Chrome.*/chrome-*.png r, + owner @{tmp}/.com.google.Chrome.*/chrome-*.png r, owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw, owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index af03c344..9b655a40 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -36,7 +36,7 @@ profile xdg-screensaver @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.Xauthority r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 2296787d..d55a3ac9 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -31,7 +31,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/server-@{int}.xkm rwk, - owner /tmp/server-@{int}.xkm rwk, + owner @{tmp}/server-@{int}.xkm rwk, /dev/dri/card@{int} rw, /dev/fb@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 7d9536f9..6de7b493 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -83,10 +83,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/server-@{int}.xkm rw, - owner /tmp/.tX@{int}-lock rwk, - owner /tmp/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock, - owner /tmp/server-* rwk, - owner /tmp/serverauth.* r, + owner @{tmp}/.tX@{int}-lock rwk, + owner @{tmp}/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock, + owner @{tmp}/server-* rwk, + owner @{tmp}/serverauth.* r, @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 50b79e33..0947721d 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -37,12 +37,12 @@ profile xrdb @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log w, - owner /tmp/kcminit.* r, - owner /tmp/kded{5,6}.@{rand6} r, - owner /tmp/plasma-apply-lookandfeel.* r, - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/startplasma-x11.@{rand6} r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/kcminit.* r, + owner @{tmp}/kded{5,6}.@{rand6} r, + owner @{tmp}/plasma-apply-lookandfeel.* r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, + owner @{tmp}/startplasma-x11.@{rand6} r, + owner @{tmp}/xauth-@{int}-_[0-9] r, @{run}/sddm/\{@{uuid}\} r, @{run}/sddm/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 31851f76..4564617e 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -29,7 +29,7 @@ profile xsetroot @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, @{run}/sddm/\{@{uuid}\} r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index fd25c221..9d457e88 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -26,7 +26,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, - owner /tmp/server-@{int}.xkm rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index a67dc3c5..7b840bd7 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -31,8 +31,8 @@ profile epiphany-search-provider @{exec_path} { owner @{user_cache_dirs}/epiphany/{,**} rwk, owner @{user_share_dirs}/epiphany/{,**} rwk, - owner /tmp/ContentRuleList@{rand6} rw, - owner /tmp/Serialized* rw, + owner @{tmp}/ContentRuleList@{rand6} rw, + owner @{tmp}/Serialized* rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 174fda70..5c26437a 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -59,7 +59,7 @@ profile gdm-xsession @{exec_path} { /etc/default/im-config r, /etc/X11/{,**} r, - owner /tmp/gdm{3,}-config-err-@{rand6} rw, + owner @{tmp}/gdm{3,}-config-err-@{rand6} rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 41a84cbc..ee5adbae 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -26,7 +26,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { owner @{HOME}/{,**} rw, - owner /tmp/wl-copy-buffer-@{rand6}/stdin r, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 6897a11d..531a3273 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -127,7 +127,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/icc/{,edid-*} r, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 6c3b0b15..dbb14921 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -22,10 +22,10 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, - owner /tmp/flatpak-seccomp-@{rand6} rw, - owner /tmp/gnome-desktop-file-to-thumbnail.* r, - owner /tmp/gnome-desktop-thumbnailer.png w, - owner /tmp/gsf-thumbnailer-@{rand6} rw, + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-file-to-thumbnail.* r, + owner @{tmp}/gnome-desktop-thumbnailer.png w, + owner @{tmp}/gsf-thumbnailer-@{rand6} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index c30712f9..94be9636 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -18,7 +18,7 @@ profile gnome-disk-image-mounter @{exec_path} { # Allow to mount user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index bdf96a84..f22cde87 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -47,7 +47,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, - owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, + owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, owner /var/tmp/etilqs_@{hex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8c69b6ac..cf93ebae 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -285,8 +285,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, - owner /tmp/@{rand6}.shell-extension.zip rw, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/@{rand6}.shell-extension.zip rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 362d1171..7029d834 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -86,9 +86,9 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/#@{int} rw, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, @@ -121,8 +121,8 @@ profile gnome-software @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 67d9d7c8..4ef3dcfd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -56,7 +56,7 @@ profile gnome-terminal-server @{exec_path} { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 82dfac0d..e8c7b0f8 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -32,7 +32,7 @@ profile kgx @{exec_path} { @{open_path} rPx -> child-open-help, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 0e9ace3b..8d9c643e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -92,7 +92,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 92a22c60..d9bd673b 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -63,13 +63,13 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_cache_dirs}/tracker3/ w, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, - owner /tmp/tracker-extract-3-files.*/{,*} rw, + owner @{tmp}/tracker-extract-3-files.*/{,*} rw, @{run}/blkid/blkid.tab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d78217b3..c6fd38ed 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -70,7 +70,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_cache_dirs}/tracker3/ rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 2be51ff5..35fce836 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -55,10 +55,10 @@ profile gpg @{exec_path} { owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, #aa:exclude ubuntu - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/tmp.[a-zA-Z0-9]* rw, + owner @{tmp}/tmp.[a-zA-Z0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index d600d3c1..109395ee 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -75,11 +75,11 @@ profile gpg-agent @{exec_path} { owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw, owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner /tmp/tmp.*/gnupg/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, - owner /tmp/tmp.*/gnupg/sshcontrol r, + owner @{tmp}/tmp.*/gnupg/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, + owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, + owner @{tmp}/tmp.*/gnupg/sshcontrol r, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index 4582af93..ed938177 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -22,9 +22,9 @@ profile gpg-connect-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw, - owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, - owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, + owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, include if exists } diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index f34135c8..a88c075e 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -22,7 +22,7 @@ profile grub-check-signatures @{exec_path} { /usr/share/debconf/confmodule r, - owner /tmp/tmp.*/ rw, + owner @{tmp}/tmp.*/ rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 2f3d0ea8..81cb07fb 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -33,7 +33,7 @@ profile baloo @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 7883ee7c..b22386b5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -54,7 +54,7 @@ profile dolphin @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 0977dbe4..bec3e445 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -32,11 +32,11 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, - owner /tmp/#@{int} rw, - owner /tmp/kcminit.@{rand6} rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kcminit.@{rand6} rwl, - owner /tmp/.touchpaddefaults wl, - owner /tmp/.touchpaddefaults.lock rwk, + owner @{tmp}/.touchpaddefaults wl, + owner @{tmp}/.touchpaddefaults.lock rwk, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 0d12ba6c..3294b1c5 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -91,9 +91,9 @@ profile kconf_update @{exec_path} { owner @{user_share_dirs}/krunnerstaterc.lock rwk, owner @{user_share_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/kconf_update.@{rand6}.lock rwk, - owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kconf_update.@{rand6}.lock rwk, + owner @{tmp}/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 76330e00..9da20954 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -156,9 +156,9 @@ profile kded @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl, - owner /tmp/#@{int} rw, - owner /tmp/kded6.@{rand6} rwl -> /tmp/#@{int}, - owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, + owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 4df7beae..3e8d2a59 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -60,7 +60,7 @@ profile kioworker @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, @@ -86,7 +86,7 @@ profile kioworker @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 1e1043cf..45cb52cf 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -59,8 +59,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/konsole/** rwlk, owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, - owner /tmp/#@{int} rw, - owner /tmp/konsole.@{rand6} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/konsole.@{rand6} rw, @{PROC}/sys/kernel/core_pattern r, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index b2fe6006..17eaa8e8 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -91,7 +91,7 @@ profile kscreenlocker_greet @{exec_path} { deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - owner /tmp/*-cover-*.{jpg,png} r, + owner @{tmp}/*-cover-*.{jpg,png} r, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 4ae409ec..cdceeb39 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -62,7 +62,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, - owner /tmp/@{rand6} rw, + owner @{tmp}/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index eb36bd8a..5aa42fb3 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -41,7 +41,7 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner /tmp/kwalletd5.* rw, + owner @{tmp}/kwalletd5.* rw, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index d7db0a64..cd43b074 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -56,8 +56,8 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/#@{int} rw, - owner /tmp/#@{int} rw, - owner /tmp/kwin.@{rand6} rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kwin.@{rand6} rwl, owner @{run}/user/@{uid}/kcrash_@{int} rw, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index fa00bcc1..71a982ca 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -45,8 +45,8 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, - owner /tmp/#@{int} rw, - owner /tmp/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index c06c3c18..6b8269b4 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -83,11 +83,11 @@ profile plasma-discover @{exec_path} { owner @{user_share_dirs}/kwin/ rw, owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**, - owner /tmp/*.kwinscript rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/discover-@{rand6}/{,**} rw, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/discover-@{rand6}/{,**} rw, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw, @@ -109,8 +109,8 @@ profile plasma-discover @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index b4847565..b67f69f6 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -166,7 +166,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/user-places.xbel{,*} rwl, /tmp/.mount_nextcl@{rand6}/{,*} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 3a297730..3939eeb9 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -168,9 +168,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/sddm-* rw, /tmp/xauth_@{rand6} rwl -> /tmp/#@{int}, - owner /tmp/*/{,s} rw, - owner /tmp/#@{int} rw, - owner /tmp/sddm-auth* rw, + owner @{tmp}/*/{,s} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/sddm-auth* rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 1944a52f..eb894313 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -63,8 +63,8 @@ profile sddm-greeter @{exec_path} { deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - owner /tmp/runtime-sddm/ rw, - owner /tmp/sddm-:@{int}-@{rand6} rw, + owner @{tmp}/runtime-sddm/ rw, + owner @{tmp}/sddm-:@{int}-@{rand6} rw, owner @{run}/sddm/{,*} rw, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b02f3f5b..000799fa 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -61,8 +61,8 @@ profile sddm-xsession @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log w, - owner /tmp/xsess-env-* rw, - owner /tmp/file* rw, + owner @{tmp}/xsess-env-* rw, + owner @{tmp}/file* rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 6a95d46c..8dfc1a22 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -64,8 +64,8 @@ profile startplasma @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log rw, owner @{user_share_dirs}/sddm/xorg-session.log rw, - owner /tmp/#@{int} rw, - owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index cc96b067..b7db4114 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -18,7 +18,7 @@ profile xembedsniproxy @{exec_path} { /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index c8cf1d5d..9c84c2bc 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -16,7 +16,7 @@ profile xsettingsd @{exec_path} { owner @{user_config_dirs}/xsettingsd/{,**} rw, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, owner @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 83721600..7ba42ab0 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -57,8 +57,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner /tmp/@{uuid} rw, - owner /tmp/talpid-openvpn-@{uuid} rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 86f11b55..2ba5ee9a 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -30,7 +30,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/dconf/user rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, @{run}/systemd/inhibit/*.ref rw, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 511d7604..1a3a6ec4 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -55,7 +55,7 @@ profile aurpublish @{exec_path} { owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/maps r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 960b8779..ba8f69d4 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -107,8 +107,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Temp files owner @{run}/initramfs/{,**} rw, owner @{run}/mkinitcpio.@{rand6}/{,**} rw, - owner /tmp/mkinitcpio.@{rand6} rw, - owner /tmp/mkinitcpio.@{rand6}/{,**} rw, + owner @{tmp}/mkinitcpio.@{rand6} rw, + owner @{tmp}/mkinitcpio.@{rand6}/{,**} rw, @{sys}/class/block/ r, @{sys}/devices/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 04e2dacc..79387790 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -126,9 +126,9 @@ profile pacman @{exec_path} { @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, owner /var/lib/pacman/{,**} rwl, - owner /tmp/alpm_*/{,**} rw, - owner /tmp/checkup-db-@{int}/sync/{,*.db*} rw, - owner /tmp/checkup-db-@{int}/db.lck rw, + owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, + owner @{tmp}/checkup-db-@{int}/db.lck rw, @{run}/utmp rk, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0ea99782..bc60b577 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -42,7 +42,7 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner /tmp/ssh-*/{,agent.@{int}} rwkl, + owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/keyring/ssh rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 84da0a5f..a3e29d9d 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, owner @{run}/user/@{uid}/keyring/.ssh rw, owner @{run}/user/@{uid}/openssh_agent rw, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 39315e7c..ac9c4771 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -37,8 +37,8 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, - owner /tmp/*.coredump w, - owner /tmp/core.* w, + owner @{tmp}/*.coredump w, + owner @{tmp}/core.* w, owner /var/tmp/coredump-* rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 9c06aa64..95ce9f2e 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -40,7 +40,7 @@ profile systemd-analyze @{exec_path} { /etc/locale.conf r, /etc/systemd/** r, - owner /tmp/systemd-temporary-*/ rw, + owner @{tmp}/systemd-temporary-*/ rw, @{run}/systemd/generator/ r, @{run}/systemd/private rw, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 5490b0da..6ba2ee8e 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -35,7 +35,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{user_projects_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - owner /tmp/dissect-@{rand6}/{,**} rw, + owner @{tmp}/dissect-@{rand6}/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/{,**} r, @{sys}/kernel/uevent_seqnum r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index ad3a2d56..662645f1 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} { /usr/share/distro-info/*.csv r, /usr/share/xml/iso-codes/{,**} r, - owner /tmp/???????? rw, # unconventional '_' tail - owner /tmp/tmp????????/ w, # change to 'c' - owner /tmp/tmp????????/apt.conf w, + owner @{tmp}/???????? rw, # unconventional '_' tail + owner @{tmp}/tmp????????/ w, # change to 'c' + owner @{tmp}/tmp????????/apt.conf w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index d1c8bcdd..7d965795 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -73,9 +73,9 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/ubuntu-advantage/status.json r, - owner /tmp/???????? rw, - owner /tmp/tmp????????/ rw, # change to 'c' - owner /tmp/tmp????????/apt.conf rw, + owner @{tmp}/???????? rw, + owner @{tmp}/tmp????????/ rw, # change to 'c' + owner @{tmp}/tmp????????/apt.conf rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index be70afcb..6307745c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -53,9 +53,9 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, - owner /tmp/tmp[0-9a-z]*/apt.conf r, - owner /tmp/[0-9a-z]*{,/} rw, - owner /tmp/[0-9a-z]*/apt-helper-output rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, + owner @{tmp}/[0-9a-z]*{,/} rw, + owner @{tmp}/[0-9a-z]*/apt-helper-output rw, @{run}/ubuntu-advantage/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 54b347b3..0e1568e8 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -80,7 +80,7 @@ profile update-notifier @{exec_path} { owner @{run}/user/@{uid}/update-notifier.pid rwk, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f52e19d4..c9898374 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -88,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /tmp/cri-containerd.apparmor.d@{int} rwl, /tmp/ctd-volume@{int}/{,**} rw, - owner /tmp/** rwkl, + owner @{tmp}/** rwkl, owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index f8cc5b7f..145a095f 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -98,7 +98,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{run}/xtables.lock rwk, owner /var/tmp/** rwkl, - owner /tmp/** rwkl, + owner @{tmp}/** rwkl, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cpuset r, diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start index 6f93ee27..bcca090f 100644 --- a/apparmor.d/groups/whonix/sdwdate-start +++ b/apparmor.d/groups/whonix/sdwdate-start @@ -20,7 +20,7 @@ profile sdwdate-start @{exec_path} { @{bin}/mkfifo rix, @{bin}/inotifywait rix, - owner /tmp/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/sdwdate/ rw, owner @{run}/sdwdate/status rw, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index b7672e06..760b3eda 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -82,18 +82,18 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/* rwk, - owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, - owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, - owner /tmp/user/@{uid}/firefox/ rw, - owner /tmp/user/@{uid}/firefox/* rwk, - owner /tmp/@{name}/ rw, - owner /tmp/@{name}/* rwk, - owner /tmp/Temp-@{uuid}/ rw, - owner "/tmp/Tor Project*/" rw, - owner "/tmp/Tor Project*/**" rwk, - owner "/tmp/Tor Project*" rwk, + owner @{tmp}/ rw, + owner @{tmp}/* w, + owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/Temp-@{uuid}/* rwk, + owner @{tmp}/firefox/ rw, + owner @{tmp}/firefox/* rwk, + owner @{tmp}/@{name}/ rw, + owner @{tmp}/@{name}/* rwk, + owner @{tmp}/Temp-@{uuid}/ rw, + owner "@{tmp}/Tor Project*/" rw, + owner "@{tmp}/Tor Project*/**" rwk, + owner "@{tmp}/Tor Project*" rwk, @{run}/mount/utab r, diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/whonix/torbrowser-glxtest index eb0b24a7..7a7295bf 100644 --- a/apparmor.d/groups/whonix/torbrowser-glxtest +++ b/apparmor.d/groups/whonix/torbrowser-glxtest @@ -23,7 +23,7 @@ profile torbrowser-glxtest @{exec_path} { owner @{config_dirs}/.parentlock rw, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix index d9348805..4dc8e792 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix +++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix @@ -30,7 +30,7 @@ profile torbrowser-updater-permission-fix @{exec_path} { /var/cache/tb-binary/{,**} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/whonix/torbrowser-vaapitest index 9217c5f6..5d284a93 100644 --- a/apparmor.d/groups/whonix/torbrowser-vaapitest +++ b/apparmor.d/groups/whonix/torbrowser-vaapitest @@ -21,7 +21,7 @@ profile torbrowser-vaapitest @{exec_path} { @{exec_path} mr, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, deny @{config_dirs}/.parentlock rw, deny @{config_dirs}/startupCache/** r, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index b3d9f446..8847bba3 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -43,8 +43,7 @@ profile torbrowser-wrapper @{exec_path} { owner @{HOME}/.tb/{,**} rw, owner /var/cache/tb-binary/{,**} rw, - owner /tmp/tmp.@{rand10} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/mount/utab r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index b668553b..3a53fc06 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -38,7 +38,7 @@ profile thunar @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index eff39f18..705fb9aa 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -45,8 +45,7 @@ profile xfce-session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - owner /tmp/.xfsm-ICE-@{rand6} rw, - owner /tmp/user/@{uid}/.xfsm-ICE-@{rand6} rw, + owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 2adeb97c..92d8d083 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -36,7 +36,7 @@ profile xfce-terminal @{exec_path} { owner @{user_config_dirs}/xfce4/terminal/{,**} r, - owner /tmp/user/@{uid}/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 51835f9d..f2e63b8c 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -33,8 +33,8 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner /tmp/@{rand8} rw, - owner /tmp/apparmor-bugreport-*.txt rw, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-*.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index be97ad46..bbdc782a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -24,7 +24,7 @@ profile adb @{exec_path} { /usr/share/scrcpy/scrcpy-server r, - owner /tmp/adb.@{int}.log rw, + owner @{tmp}/adb.@{int}.log rw, owner @{HOME}/.android/ rw, owner @{HOME}/.android/adb.@{int} rw, diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 22854ae2..d813c2d6 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -35,8 +35,8 @@ profile anacron @{exec_path} { /etc/cron.*/ r, /etc/cron.*/* rPUx, - owner /tmp/#@{int} rw, - owner /tmp/file@{rand6} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/file@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index b24b6c13..44a86240 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -61,8 +61,8 @@ profile anyremote @{exec_path} { @{bin}/mpv rPx, @{bin}/strawberry rPx, - owner /tmp/amarok_covers/ rw, - owner /tmp/*.png rw, + owner @{tmp}/amarok_covers/ rw, + owner @{tmp}/*.png rw, # For shell pwd owner @{HOME}/ r, @@ -92,9 +92,9 @@ profile anyremote @{exec_path} { owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, /tmp/ r, - owner /tmp/*.png rw, - owner /tmp/amarok_covers/* rw, - owner /tmp/magick-* rw, + owner @{tmp}/*.png rw, + owner @{tmp}/amarok_covers/* rw, + owner @{tmp}/magick-* rw, } diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index a38d04e7..ee442861 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -36,7 +36,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /var/lib/snapd/apparmor/{,**} r, owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw, - owner /tmp/cri-containerd.apparmor.d@{int} r, + owner @{tmp}/cri-containerd.apparmor.d@{int} r, @{sys}/kernel/security/apparmor/{,**} r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 03c56699..e280c705 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -52,9 +52,9 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, - owner /tmp/appstream-cache-*.mdb rw, - owner /tmp/appstream/ rw, - owner /tmp/appstream/appcache-*.mdb rw, + owner @{tmp}/appstream-cache-*.mdb rw, + owner @{tmp}/appstream/ rw, + owner @{tmp}/appstream/appcache-*.mdb rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 9317d403..16d4fcad 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -67,18 +67,18 @@ profile arduino @{exec_path} { owner @{HOME}/.Xauthority r, /tmp/ r, - owner /tmp/cc*.{s,res,c,o,ld,le} rw, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, - owner /tmp/untitled[0-9]*.tmp rw, - owner /tmp/untitled[0-9]*.tmp/{,**} rw, - owner /tmp/console[0-9]*.tmp rw, - owner /tmp/console[0-9]*.tmp/{,**} rw, - owner /tmp/build[0-9]*.tmp rw, - owner /tmp/build[0-9]*.tmp/{,**} rw, - owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, - owner /tmp/{library,package}_index.json*.tmp* rw, - owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, + owner @{tmp}/cc*.{s,res,c,o,ld,le} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, + owner @{tmp}/untitled[0-9]*.tmp rw, + owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, + owner @{tmp}/console[0-9]*.tmp rw, + owner @{tmp}/console[0-9]*.tmp/{,**} rw, + owner @{tmp}/build[0-9]*.tmp rw, + owner @{tmp}/build[0-9]*.tmp/{,**} rw, + owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw, + owner @{tmp}/{library,package}_index.json*.tmp* rw, + owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw, owner @{run}/lock/tmp* rw, owner @{run}/lock/LCK..ttyS[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 129737f7..0eb54afe 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -42,10 +42,10 @@ profile arduino-builder @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, /tmp/ r, - owner /tmp/cc* rw, - owner /tmp/untitled[0-9]*.tmp/{,**} rw, - owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, - owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, + owner @{tmp}/cc* rw, + owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, + owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw, + owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index 144783ca..c97b0096 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -13,9 +13,9 @@ profile arduino-ctags @{exec_path} { @{exec_path} mr, - owner /tmp/tags.* rw, + owner @{tmp}/tags.* rw, - owner /tmp/arduino_build_@{int}/** r, + owner @{tmp}/arduino_build_@{int}/** r, include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 97903a49..a1caf6bc 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -60,10 +60,10 @@ profile atril @{exec_path} { owner @{user_share_dirs}/ r, - owner /tmp/gtkprint_* rw, - owner /tmp/settings*.ini rw, - owner /tmp/settings*.ini.* rw, - owner /tmp/atril-@{pid}/{,**} rw, + owner @{tmp}/gtkprint_* rw, + owner @{tmp}/settings*.ini rw, + owner @{tmp}/settings*.ini.* rw, + owner @{tmp}/atril-@{pid}/{,**} rw, @{sys}/firmware/acpi/pm_profile r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 3c20ab27..f5a83b69 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -28,7 +28,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { /etc/audit/audit.rules rw, /etc/audit/rules.d/{,*} r, - owner /tmp/aurules.@{rand8} rw, + owner @{tmp}/aurules.@{rand8} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 929a98ef..9104e400 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -41,7 +41,7 @@ profile birdtray @{exec_path} { owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, - owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w, + owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w, # Thunderbird mail dirs owner @{HOME}/ r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 5d6e4301..9703dcb6 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -64,12 +64,12 @@ profile borg @{exec_path} { owner @{user_config_dirs}/borg/** rw, # If /tmp/ isn't accessible, then /var/tmp/ is used. - owner /tmp/* rw, - owner /tmp/borg-cache-*/ rw, - owner /tmp/borg-cache-*/* rw, - owner /tmp/tmp*/ rw, - owner /tmp/tmp*/file rw, - owner /tmp/tmp*/idx rw, + owner @{tmp}/* rw, + owner @{tmp}/borg-cache-*/ rw, + owner @{tmp}/borg-cache-*/* rw, + owner @{tmp}/tmp*/ rw, + owner @{tmp}/tmp*/file rw, + owner @{tmp}/tmp*/idx rw, owner /var/lib/libuuid/clock.txt w, owner /var/tmp/* rw, owner /var/tmp/tmp*/ rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 33f07a98..e616a941 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -23,7 +23,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, - owner /tmp/mozilla-temp-@{int} r, + owner @{tmp}/mozilla-temp-@{int} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index f67c3738..cb651e1c 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -37,7 +37,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { owner @{user_img_dirs}/{,**} rwk, # For fsck of the btrfs filesystem directly from gparted - owner /tmp/gparted-*/ rw, + owner @{tmp}/gparted-*/ rw, @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 89a2ca71..e6c6a2e0 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -55,7 +55,7 @@ profile check-support-status @{exec_path} { owner @{HOME}/ r, /tmp/ r, - owner /tmp/debian-security-support.*/{,**} rw, + owner @{tmp}/debian-security-support.*/{,**} rw, /tmp/debian-security-support.postinst.*/output w, /var/lib/debian-security-support/ r, @@ -73,7 +73,7 @@ profile check-support-status @{exec_path} { @{bin}/debconf-escape r, @{bin}/perl r, - owner /tmp/debian-security-support.postinst.*/output r, + owner @{tmp}/debian-security-support.postinst.*/output r, } diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index d2fb1f4c..d10245d4 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -40,8 +40,8 @@ profile check-support-status-hook @{exec_path} { /root/ r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/ rw, - owner /tmp/debian-security-support.postinst.*/output rw, + owner @{tmp}/debian-security-support.postinst.*/ rw, + owner @{tmp}/debian-security-support.postinst.*/output rw, /var/lib/ r, /var/lib/debian-security-support/ r, @@ -56,7 +56,7 @@ profile check-support-status-hook @{exec_path} { @{bin}/perl r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/output r, + owner @{tmp}/debian-security-support.postinst.*/output r, } @@ -123,7 +123,7 @@ profile check-support-status-hook @{exec_path} { @{etc_ro}/security/limits.d/ r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/output w, + owner @{tmp}/debian-security-support.postinst.*/output w, } include if exists diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index ad8da5cc..885d1602 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -48,9 +48,9 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{user_mail_dirs}/ rw, owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**, - owner /tmp/claws-mail-@{int}/ rw, - owner /tmp/claws-mail-@{int}/@{hex} rw, - owner /tmp/claws-mail-@{int}/@{hex}.lock rwk, + owner @{tmp}/claws-mail-@{int}/ rw, + owner @{tmp}/claws-mail-@{int}/@{hex} rw, + owner @{tmp}/claws-mail-@{int}/@{hex}.lock rwk, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index 793bb8ea..8dcd847d 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -65,9 +65,9 @@ profile code flags=(attach_disconnected) { owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - owner /tmp/@{uuid} rw, - owner /tmp/vscode-*/{,**} rw, - owner /tmp/vscode-ipc-@{uuid}.sock rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/vscode-*/{,**} rw, + owner @{tmp}/vscode-ipc-@{uuid}.sock rw, owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index a55b03a5..8b419658 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 2437212b..fa71598f 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -141,7 +141,7 @@ profile conky @{exec_path} { @{PROC}/@{pid}/net/route r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, /usr/share/X11/XErrorDB r, diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 3ca866a6..3c4f797e 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -17,7 +17,7 @@ profile cpuid @{exec_path} { /dev/cpu/@{int}/cpuid r, - owner /tmp/cpuid* rw, + owner @{tmp}/cpuid* rw, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 0c21ef9e..04ede210 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -19,7 +19,7 @@ profile cups-notifier-dbus @{exec_path} { /etc/cups/client.conf r, - owner /tmp/cups-dbus-notifier-lockfile rwk, + owner @{tmp}/cups-dbus-notifier-lockfile rwk, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 8bbc4e5d..e71c37fe 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner /tmp/[a-z0-9]* rw, + owner @{tmp}/[a-z0-9]* rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 785428b6..13bcc3b8 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -94,7 +94,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner /tmp/*_latest_print_info w, + owner @{tmp}/*_latest_print_info w, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 5d6aa5ce..1f554c4c 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -48,10 +48,10 @@ profile deltachat-desktop @{exec_path} { owner @{user_config_dirs}/DeltaChat/ rw, owner @{user_config_dirs}/DeltaChat/** rwk, - owner /tmp/@{hex}/ rw, - owner /tmp/@{hex}/db.sqlite-blobs/ rw, - owner /tmp/@{hex}/db.sqlite rwk, - owner /tmp/@{hex}/db.sqlite-journal rw, + owner @{tmp}/@{hex}/ rw, + owner @{tmp}/@{hex}/db.sqlite-blobs/ rw, + owner @{tmp}/@{hex}/db.sqlite rwk, + owner @{tmp}/@{hex}/db.sqlite-journal rw, @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 418caf38..45faf18a 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -56,8 +56,8 @@ profile dhclient-script @{exec_path} { /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, - owner /tmp/dhclient-script.debug rw, - owner /tmp/variables.txt w, + owner @{tmp}/dhclient-script.debug rw, + owner @{tmp}/variables.txt w, @{run}/chrony-dhcp/ rw, @{run}/systemd/netif/leases/ r, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0e9d3aec..8ca83930 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -85,11 +85,11 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner /tmp/* rw, - owner /tmp/cc* rw, - owner /tmp/dkms.*/ rw, - owner /tmp/sh-thd.* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/* rw, + owner @{tmp}/cc* rw, + owner @{tmp}/dkms.*/ rw, + owner @{tmp}/sh-thd.* rw, + owner @{tmp}/tmp.* rw, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -109,7 +109,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner /boot/System.map-* r, - owner /tmp/tmp.* r, + owner @{tmp}/tmp.* r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 5fc06387..95ed3f08 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -42,7 +42,7 @@ profile dlocate @{exec_path} { /var/lib/dpkg/info/*.conffiles r, /var/lib/dpkg/info/*.md5sums r, - owner /tmp/sh-thd.* rw, + owner @{tmp}/sh-thd.* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/2 w, diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index fd0fc8e5..d2200c25 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -14,7 +14,7 @@ profile dmidecode @{exec_path} { @{exec_path} mr, - owner /tmp/dump.bin rw, + owner @{tmp}/dump.bin rw, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index 1be45ad5..af3bc6f9 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -33,7 +33,7 @@ profile downloadhelper @{exec_path} { owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r, owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google@{int}/goog-phish-proto-@{int}.vlpset rw, - owner /tmp/vdh-*.tmp rw, + owner @{tmp}/vdh-*.tmp rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index f88ff780..7013ff53 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -44,8 +44,8 @@ profile dumpcap @{exec_path} { /dev/ r, # Traffic log files - owner /tmp/wireshark_*.pcapng rw, - owner /tmp/*.pcap rw, + owner @{tmp}/wireshark_*.pcapng rw, + owner @{tmp}/*.pcap rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 5c73da5b..d76f5c1d 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -76,7 +76,7 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index e4b25735..f96fe8f3 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -57,7 +57,7 @@ profile etckeeper @{exec_path} { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner /tmp/etckeeper-git* rw, + owner @{tmp}/etckeeper-git* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index fdaf80dc..266a7566 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -52,9 +52,9 @@ profile evince @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, - owner /tmp/*.pdf r, - owner /tmp/evince-*/{,**} rw, - owner /tmp/gtkprint* rw, + owner @{tmp}/*.pdf r, + owner @{tmp}/evince-*/{,**} rw, + owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index ce85624f..6faf3009 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -15,8 +15,8 @@ profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, - owner /tmp/gnome-desktop-file-to-thumbnail.pdf r, - owner /tmp/gnome-desktop-thumbnailer.png w, + owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, + owner @{tmp}/gnome-desktop-thumbnailer.png w, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 6f331f2a..3bc1fecf 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -32,8 +32,8 @@ profile ffmpeg @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner /tmp/*.{png,jpg} rw, # To generate thumbnails in some apps - owner /tmp/vidcutter/** rw, # TMP files for apps using ffmpeg + owner @{tmp}/*.{png,jpg} rw, # To generate thumbnails in some apps + owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 29d56b63..81b60a20 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -70,7 +70,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /tmp/#@{int} rw, owner /dev/shm/flatpak*/{,**} rw, - owner /tmp/ostree-gpg-*/{,**} rw, + owner @{tmp}/ostree-gpg-*/{,**} rw, @{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, @@ -107,8 +107,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 5bf664b8..cb49cd9d 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -45,7 +45,7 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/#@{int} rw, owner /{var/,}tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, @@ -62,8 +62,8 @@ profile flatpak-system-helper @{exec_path} { @{lib}/{,gnupg/}scdaemon rix, @{bin}/gpg-agent rix, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index fa376f98..664b43b4 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -74,7 +74,7 @@ profile frontend @{exec_path} flags=(complain) { /etc/inputrc r, /etc/shadow r, - owner /tmp/file* w, + owner @{tmp}/file* w, owner /var/cache/debconf/* rwk, @{HOME}/.Xauthority r, @@ -119,7 +119,7 @@ profile frontend @{exec_path} flags=(complain) { @{run}/ r, @{run}/** rw, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, } diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 048fcbcf..361f6c7c 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -82,7 +82,7 @@ profile gajim @{exec_path} { # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/) /var/tmp/ r, /tmp/ r, - owner /tmp/* rw, + owner @{tmp}/* rw, # Silencer deny /usr/share/gajim/** w, @@ -100,8 +100,8 @@ profile gajim @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{lib}/gcc/@{multiarch}/@{int}/collect2 rix, - owner /tmp/cc* rw, - owner /tmp/tmp* rw, + owner @{tmp}/cc* rw, + owner @{tmp}/tmp* rw, /media/ccache/*/** rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index a0641dbc..58459416 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -89,21 +89,21 @@ profile git @{exec_path} { owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, - owner /tmp/** rwkl -> /tmp/**, - owner /tmp/**/bin/* rCx -> exec, + owner @{tmp}/** rwkl -> /tmp/**, + owner @{tmp}/**/bin/* rCx -> exec, owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner /tmp/git-difftool.*/ rw, # For diffs - owner /tmp/git-difftool.*/right/{,**} rw, - owner /tmp/git-difftool.*/left/{,**} rw, - owner /tmp/* rw, - owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator - owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner /tmp/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/ rw, # For diffs + owner @{tmp}/git-difftool.*/right/{,**} rw, + owner @{tmp}/git-difftool.*/left/{,**} rw, + owner @{tmp}/* rw, + owner @{tmp}/tmp*/ rw, # For TWRP-device-tree-generator + owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/git-commit-msg-.txt rw, # For android studio deny @{user_share_dirs}/gvfs-metadata/* r, deny /dev/shm/.org.chromium.Chromium* rw, @@ -119,7 +119,7 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/.git_vtag_tmp@{rand6} r, + owner @{tmp}/.git_vtag_tmp@{rand6} r, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -145,8 +145,8 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, - owner /tmp/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, - owner /tmp/ssh-*/agent.@{int} rw, + owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, + owner @{tmp}/ssh-*/agent.@{int} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 5f3fbdb0..566bd781 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -43,7 +43,7 @@ profile gpa @{exec_path} { # Files to verify owner /**.tar.gz r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, # External apps @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 04cb2849..ede60499 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -72,7 +72,7 @@ profile gpartedbin @{exec_path} { @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, - owner /tmp/gparted-*/ rw, + owner @{tmp}/gparted-*/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 807c703d..8e727c75 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -109,7 +109,7 @@ profile hardinfo @{exec_path} { owner @{HOME}/.hardinfo/ rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, @@ -154,8 +154,8 @@ profile hardinfo @{exec_path} { @{sys}/fs/cgroup/{,**} r, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, } diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 78fc78f9..b3222265 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -37,8 +37,8 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, - owner /tmp/hugo_cache/{,**} rwkl, - owner /tmp/go-codehost-@{int} rw, + owner @{tmp}/hugo_cache/{,**} rwkl, + owner @{tmp}/go-codehost-@{int} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2aa80f90..8c179e0d 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -91,8 +91,8 @@ profile hw-probe @{exec_path} { owner /root/HW_PROBE/{,**} rw, - owner /tmp/*/ rw, - owner /tmp/*/cpu_perf rw, + owner @{tmp}/*/ rw, + owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 599f8939..277ce6e7 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -71,7 +71,7 @@ profile hwinfo @{exec_path} { /var/lib/hardware/udi/ r, # For a log file - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, profile kmod { @@ -85,7 +85,7 @@ profile hwinfo @{exec_path} { # file_inherit /dev/ttyS@{int} r, - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, } @@ -107,7 +107,7 @@ profile hwinfo @{exec_path} { @{run}/udev/data/* r, # file_inherit - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, } diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index a594c62c..4d3600a7 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -29,7 +29,7 @@ profile i3lock @{exec_path} { owner @{HOME}/*/*.png r, # When using also i3lock-fancy. - owner /tmp/tmp.*.png r, + owner @{tmp}/tmp.*.png r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 1fdb6433..f0e0f35f 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -36,9 +36,9 @@ profile i3lock-fancy @{exec_path} { /usr/share/i3lock-fancy/{,*} r, - owner /tmp/tmp.*.png rw, - owner /tmp/tmp.* rw, - owner /tmp/sh-thd.* rw, + owner @{tmp}/tmp.*.png rw, + owner @{tmp}/tmp.* rw, + owner @{tmp}/sh-thd.* rw, # file_inherit owner /dev/tty@{int} rw, @@ -62,7 +62,7 @@ profile i3lock-fancy @{exec_path} { # For gray scale (doesn't seem to be required). It produces files like /home/*/PIHFhJ . deny owner @{HOME}/* rw, - owner /tmp/tmp.*.png rw, + owner @{tmp}/tmp.*.png rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index fa98950e..e65add8e 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -61,16 +61,16 @@ profile jdownloader @{exec_path} { owner @{HOME}/.install4j rw, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead - owner /tmp/SevenZipJBinding-*/ rw, - owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, + owner @{tmp}/SevenZipJBinding-*/ rw, + owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, # For auto updates - owner /tmp/lastChanceSrc@{int}lch rw, - owner /tmp/lastChanceDst@{int}.jar rw, - owner /tmp/i4j_log_jd2_@{int}.log rw, - owner /tmp/install4jError@{int}.log rw, + owner @{tmp}/lastChanceSrc@{int}lch rw, + owner @{tmp}/lastChanceDst@{int}.jar rw, + owner @{tmp}/i4j_log_jd2_@{int}.log rw, + owner @{tmp}/install4jError@{int}.log rw, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 68330c96..a90c7de8 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -18,8 +18,8 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - owner /tmp/tmp* rw, - owner /tmp/#@{int} rw, + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, # Mount points owner @{HOME}/*/ r, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index f07cc0ad..ad6fe04a 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -68,14 +68,14 @@ profile keepassxc @{exec_path} { owner @{user_share_dirs}/keepassxc/ rw, owner @{user_share_dirs}/keepassxc/* rwkl -> @{user_share_dirs}/keepassxc/#@{int}, - owner /tmp/.[a-zA-Z]*/{,s} rw, - owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int}, - owner /tmp/*.*.settings rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/keepassxc-*.lock{,.rmlock} rwk, - owner /tmp/keepassxc-*.socket rw, - owner /tmp/keepassxc.lock rw, - owner /tmp/keepassxc.socket rw, + owner @{tmp}/.[a-zA-Z]*/{,s} rw, + owner @{tmp}/*.*.gpgkey rwl -> /tmp/#@{int}, + owner @{tmp}/*.*.settings rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/keepassxc-*.lock{,.rmlock} rwk, + owner @{tmp}/keepassxc-*.socket rw, + owner @{tmp}/keepassxc.lock rw, + owner @{tmp}/keepassxc.socket rw, owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index ca70784b..e7e8cc8f 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -33,7 +33,7 @@ profile kernel-install @{exec_path} { /etc/kernel/install.d/ r, /etc/kernel/install.d/*.install rix, - owner /tmp/sh-thd.* rw, + owner @{tmp}/sh-thd.* rw, owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5872ac5d..0ae2ba62 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -47,11 +47,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/dracut.*/{,**} rw, owner /boot/System.map-* r, - owner /tmp/mkinitcpio.*/{,**} rw, + owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build - owner /tmp/depmod.*/lib/modules/*/ r, - owner /tmp/depmod.*/lib/modules/*/modules.* rw, + owner @{tmp}/depmod.*/lib/modules/*/ r, + owner @{tmp}/depmod.*/lib/modules/*/modules.* rw, owner @{user_build_dirs}/**/System.map r, owner @{user_build_dirs}/**/lib/modules/*/ r, owner @{user_build_dirs}/**/lib/modules/*/modules.* rw, diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index 047faa5a..384fda9e 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -62,8 +62,8 @@ profile linssid @{exec_path} { owner @{PROC}/@{pid}/net/wireless r, owner @{PROC}/@{pid}/cmdline r, - owner /tmp/runtime-root/ rw, - owner /tmp/linssid_* rw, + owner @{tmp}/runtime-root/ rw, + owner @{tmp}/linssid_* rw, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -88,7 +88,7 @@ profile linssid @{exec_path} { # file_inherit owner @{HOME}/.linssid.prefs rw, owner @{HOME}/LinSSID.datalog rw, - owner /tmp/linssid_* rw, + owner @{tmp}/linssid_* rw, owner /dev/dri/card@{int} rw, } diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 5640cb43..a6fd4d8e 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -38,7 +38,7 @@ profile linux-check-removal @{exec_path} flags=(complain) { # The following is needed when debconf uses dialog/whiptail frontend. @{bin}/whiptail rPx, - owner /tmp/file* w, + owner @{tmp}/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 6026b822..a9b3691d 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -30,8 +30,8 @@ profile lynx @{exec_path} { @{sh_path} rix, /etc/mailcap r, - owner /tmp/lynxXXXX*/ rw, - owner /tmp/lynxXXXX*/*TMP.html{,.gz} rw, + owner @{tmp}/lynxXXXX*/ rw, + owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, owner @{HOME}/ r, diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index e2f048bd..c85b5e1d 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -80,7 +80,7 @@ profile man_groff { /etc/papersize r, /tmp/groff* rw, - owner /tmp/* rw, + owner @{tmp}/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index 52bceb44..6cd06a01 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -49,8 +49,8 @@ profile merkaartor @{exec_path} { deny owner @{PROC}/@{pid}/cmdline r, - owner /tmp/qtsingleapp-merkaa-* rw, - owner /tmp/qtsingleapp-merkaa-*-lockfile rwk, + owner @{tmp}/qtsingleapp-merkaa-* rw, + owner @{tmp}/qtsingleapp-merkaa-*-lockfile rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 1c6bc72a..62fd0ab9 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -50,8 +50,8 @@ profile minitube @{exec_path} { # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - # owner /tmp/#@{int} mrw, - # owner /tmp/.glvnd* mrw, + # owner @{tmp}/#@{int} mrw, + # owner @{tmp}/.glvnd* mrw, # Cache owner @{user_cache_dirs}/ rw, @@ -74,8 +74,8 @@ profile minitube @{exec_path} { /usr/share/hwdata/pnp.ids r, # TMP - owner /tmp/qtsingleapp-minitu-* rw, - owner /tmp/qtsingleapp-minitu-*-lockfile rwk, + owner @{tmp}/qtsingleapp-minitu-* rw, + owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk, @{bin}/xdg-open rCx -> open, diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 61538790..7350d7b7 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -19,8 +19,8 @@ profile mkvmerge @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner /tmp/MKVToolNix-process-*.json r, - owner /tmp/MKVToolNix-GUI-MuxJob-*.json r, + owner @{tmp}/MKVToolNix-process-*.json r, + owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json r, # file_inherit /dev/dri/card@{int} rw, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index ee2c4155..63a978ba 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -50,11 +50,11 @@ profile mkvtoolnix-gui @{exec_path} { owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw, owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw, - owner /tmp/#@{int} rw, - owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-process-*.json rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-GUI-Instance-Communicator-* rw, owner /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index c7057aa4..9e84ee50 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -33,8 +33,8 @@ profile modprobed-db @{exec_path} { owner @{user_config_dirs}/modprobed-db.conf r, owner @{user_config_dirs}/modprobed.db rw, - owner /tmp/.inmem rw, - owner /tmp/.potential_new_db rw, + owner @{tmp}/.inmem rw, + owner @{tmp}/.potential_new_db rw, @{PROC}/modules r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 09ae2bcf..72891c7b 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -36,8 +36,8 @@ profile mono-sgen @{exec_path} { owner @{user_config_dirs}/openra/{,**} rw, owner @{user_config_dirs}/.mono/{,**} r, - owner /tmp/*.* rw, - owner /tmp/CASESENSITIVETEST* rw, + owner @{tmp}/*.* rw, + owner @{tmp}/CASESENSITIVETEST* rw, owner /dev/shm/mono.* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index a4aaf531..71f1e4cf 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -52,9 +52,9 @@ profile mpsyt @{exec_path} { owner @{PROC}/@{pid}/mounts r, /tmp/ r, - owner /tmp/[a-z0-9]* rw, - owner /tmp/mpsyt-input* rw, - owner /tmp/mpsyt-mpv*.sock rw, + owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/mpsyt-input* rw, + owner @{tmp}/mpsyt-mpv*.sock rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 8f667bb2..058135e8 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -53,11 +53,11 @@ profile mpv @{exec_path} { owner @{user_config_dirs}/mpv/{,**} rw, /tmp/ r, - owner /tmp/mpsyt-input* rw, - owner /tmp/mpsyt-mpv*.sock rw, - owner /tmp/smplayer-mpv-* rw, - owner /tmp/smplayer_preview/@{int}.{jpg,png} w, - owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w, + owner @{tmp}/mpsyt-input* rw, + owner @{tmp}/mpsyt-mpv*.sock rw, + owner @{tmp}/smplayer-mpv-* rw, + owner @{tmp}/smplayer_preview/@{int}.{jpg,png} w, + owner @{tmp}/smplayer_screenshots/cap_*.{jpg,png} w, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 8366426b..4a40f418 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -31,8 +31,8 @@ profile nmap @{exec_path} { /usr/share/nmap/** r, - owner /tmp/zenmap-stdout-* rw, - owner /tmp/zenmap-*.xml rw, + owner @{tmp}/zenmap-stdout-* rw, + owner @{tmp}/zenmap-*.xml rw, owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/if_inet6 r, diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt index 7402c6e4..4a9e437b 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -17,7 +17,7 @@ profile ntfsdecrypt @{exec_path} { @{exec_path} mr, # Common locations of the key - owner /tmp/*.key r, + owner @{tmp}/*.key r, owner @{HOME}/*.key r, include if exists diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete index c1db1526..5b066d3f 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -19,8 +19,8 @@ profile ntfsundelete @{exec_path} { owner @{PROC}/@{pid}/mounts r, # The recovery dir - owner /tmp/ntfs-recovery/ r, - owner /tmp/ntfs-recovery/* rw, + owner @{tmp}/ntfs-recovery/ r, + owner @{tmp}/ntfs-recovery/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap index b5ff0b05..056207cc 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -21,7 +21,7 @@ profile ntfsusermap @{exec_path} { # Where to save the UserMapping file owner /root/UserMapping w, - owner /tmp/UserMapping w, + owner @{tmp}/UserMapping w, include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index c0bb8b6a..5333bc94 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -61,7 +61,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { /boot/{efi/,}EFI/ r, /boot/{efi/,}EFI/*/ r, - owner /tmp/os-prober.*/{,**} rw, + owner @{tmp}/os-prober.*/{,**} rw, @{sys}/block/ r, @{sys}/devices/@{pci}/block/*/ r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b769ecbb..972d4526 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -89,9 +89,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/*.changelog rw, - owner /tmp/alpm_*/{,**} rw, - owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, - owner /tmp/packagekit* rw, + owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, + owner @{tmp}/packagekit* rw, @{run}/systemd/inhibit/*.ref rw, owner @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 436cdc71..5ca95200 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -15,8 +15,8 @@ profile pam-tmpdir-helper @{exec_path} { @{exec_path} mr, - owner /tmp/user/ rw, - owner /tmp/user/@{uid}/ rw, + owner @{tmp}/user/ rw, + owner @{tmp}/ rw, /dev/ptmx rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 4e19b6ad..342fe1b5 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -124,7 +124,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw, include if exists @@ -146,7 +146,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.*/{,*} rw, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index f14cf3a1..d2ad4fd9 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -33,7 +33,7 @@ profile pass-import @{exec_path} { owner @{user_password_store_dirs}/{,**} rw, - owner /tmp/[a-zA-Z0-9]* rw, + owner @{tmp}/[a-zA-Z0-9]* rw, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index eecb1364..ae157744 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -38,7 +38,7 @@ profile pinentry-qt @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 5035c872..702ccbcd 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -45,7 +45,7 @@ profile popularity-contest @{exec_path} { /var/log/popularity-contest.[0-9]* w, /var/log/popularity-contest.new w, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 7e21a206..745f1f39 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -63,8 +63,8 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/ rw, owner @{user_share_dirs}/psi/** rwk, - owner /tmp/#@{int} rw, - owner /tmp/Psi.* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index d28dc19c..2b619815 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -61,8 +61,8 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/ rw, owner @{user_share_dirs}/psi+/** rwk, - owner /tmp/#@{int} rw, - owner /tmp/Psi+.* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index f8160340..e1eb03dd 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -100,16 +100,14 @@ profile qbittorrent @{exec_path} { owner @{user_torrents_dirs}/** rw, owner /dev/shm/#@{int} rw, - owner /tmp/.*/{,s} rw, - owner /tmp/.qBittorrent/ rw, - owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner /tmp/*.torrent rw, - owner /tmp/mozilla_*/*.torrent rw, - owner /tmp/qtsingleapp-qBitto-* rw, - owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, - owner /tmp/tmp* rw, - owner /tmp/user/@{uid}/.qBittorrent/ rw, - owner /tmp/user/@{uid}/.qBittorrent/** rw, + owner @{tmp}/.*/{,s} rw, + owner @{tmp}/.qBittorrent/ rw, + owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, + owner @{tmp}/*.torrent rw, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + owner @{tmp}/tmp* rw, owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, @@ -142,8 +140,8 @@ profile qbittorrent @{exec_path} { owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int}, # unconventional '_' tail owner /dev/shm/* rw, - owner /tmp/@{int} rw, - owner /tmp/tmp* rw, + owner @{tmp}/@{int} rw, + owner @{tmp}/tmp* rw, deny /dev/dri/card@{int} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 7d820645..463715e1 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -57,13 +57,13 @@ profile qbittorrent-nox @{exec_path} { owner @{user_share_dirs}/mime/types r, # TMP - owner /tmp/qtsingleapp-qBitto-* rw, - owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, - owner /tmp/.qBittorrent/ rw, - owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner /tmp/mozilla_*/*.torrent rw, - owner /tmp/*.torrent rw, - owner /tmp/.*/{,s} rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + owner @{tmp}/.qBittorrent/ rw, + owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/*.torrent rw, + owner @{tmp}/.*/{,s} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 8905cd5d..61d6276b 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -63,15 +63,15 @@ profile qnapi @{exec_path} { owner @{user_cache_dirs}/ rw, /tmp/ r, - owner /tmp/@{hex}.* rw, - owner /tmp/** rw, - owner /tmp/#@{int} rw, - owner /tmp/QNapi-*-rc wl -> /tmp/#@{int}, - owner /tmp/QNapi-*-rc.lock rwk, - owner /tmp/QNapi.@{int}.tmp rw, - owner /tmp/QNapi.@{int}.tmp.* rw, - owner /tmp/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, - owner /tmp/QNapi.@{int} rw, + owner @{tmp}/@{hex}.* rw, + owner @{tmp}/** rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, + owner @{tmp}/QNapi-*-rc.lock rwk, + owner @{tmp}/QNapi.@{int}.tmp rw, + owner @{tmp}/QNapi.@{int}.tmp.* rw, + owner @{tmp}/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, + owner @{tmp}/QNapi.@{int} rw, owner /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 28ec6f84..fca31ff6 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -56,9 +56,9 @@ profile qpdfview @{exec_path} { owner @{user_share_dirs}/qpdfview/** rwk, owner /dev/shm/#@{int} rw, - owner /tmp/@{hex} rw, - owner /tmp/#@{int} rw, - owner /tmp/qpdfview.*.pdf rwl -> /tmp/#@{int}, + owner @{tmp}/@{hex} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/qpdfview.*.pdf rwl -> /tmp/#@{int}, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 8b243e8f..a6013640 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -52,7 +52,7 @@ profile qtox @{exec_path} { owner @{PROC}/@{pid}/cmdline r, @{PROC}/sys/kernel/core_pattern r, # for KCrash::initialize() - owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, /dev/ r, /dev/video@{int} rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index c1d7944c..a0463bb9 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -61,8 +61,8 @@ profile quiterss @{exec_path} { /dev/shm/#@{int} rw, - owner /tmp/qtsingleapp-quiter-@{int}-@{int} rw, - owner /tmp/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, owner /var/tmp/etilqs_@{hex} rw, # Allowed apps to open diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 38a3c0f6..56f1152e 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -50,8 +50,8 @@ profile repo @{exec_path} { /usr/share/git-core/{,**} r, - owner /tmp/.git_vtag_tmp@{rand6} rw, - owner /tmp/ssh-*/ rw, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, + owner @{tmp}/ssh-*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -80,7 +80,7 @@ profile repo @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, - owner /tmp/.git_vtag_tmp@{rand6} r, + owner @{tmp}/.git_vtag_tmp@{rand6} r, } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 4cd81889..726f6f64 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -135,9 +135,9 @@ profile run-parts @{exec_path} { /usr/share/landscape/landscape-sysinfo.wrapper rPUx, - owner /tmp/#@{int} rw, - owner /tmp/$anacron* rw, - owner /tmp/file@{rand6} ra, + owner @{tmp}/#@{int} rw, + owner @{tmp}/$anacron* rw, + owner @{tmp}/file@{rand6} ra, owner @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 7d3b1ae4..590ed971 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -45,7 +45,7 @@ profile runuser @{exec_path} { /etc/default/runuser r, # file_inherit - owner /tmp/debian-security-support.postinst.*/output w, + owner @{tmp}/debian-security-support.postinst.*/output w, include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index b82576a1..50e5ae8c 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -41,7 +41,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{user_share_dirs}/YACReader/YACReaderLibrary/ rw, owner @{user_share_dirs}/YACReader/YACReaderLibrary/** rwlk, - owner /tmp/@{uuid} w, + owner @{tmp}/@{uuid} w, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index 721a1b46..1bc9288d 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -32,7 +32,7 @@ profile s3fs @{exec_path} { owner @{MOUNTS}/ r, owner @{MOUNTS}/*/ r, - owner /tmp/* rw, + owner @{tmp}/* rw, /dev/fuse rw, @@ -59,7 +59,7 @@ profile s3fs @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/*/ r, - owner /tmp/s3fstmp.* rw, + owner @{tmp}/s3fstmp.* rw, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index 0be658dd..f0b8426c 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -27,7 +27,7 @@ profile sanoid @{exec_path} flags=(complain) { @{run}/sanoid/sanoid_cacheupdate.lock rwk, @{run}/sanoid/sanoid_pruning.lock rwk, - owner /tmp/** rw, + owner @{tmp}/** rw, include if exists } diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 6b785ebe..3751c4ab 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -64,11 +64,11 @@ profile smplayer @{exec_path} { owner @{user_cache_dirs}/#@{int} rw, - owner /tmp/qtsingleapp-smplay-* rw, - owner /tmp/qtsingleapp-smplay-*-lockfile rwk, - owner /tmp/smplayer_preview/ rw, - owner /tmp/smplayer_preview/@{int}.{jpg,png} rw, - owner /tmp/smplayer-mpv-* w, + owner @{tmp}/qtsingleapp-smplay-* rw, + owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk, + owner @{tmp}/smplayer_preview/ rw, + owner @{tmp}/smplayer_preview/@{int}.{jpg,png} rw, + owner @{tmp}/smplayer-mpv-* w, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 6eb60c47..26859829 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -71,7 +71,7 @@ profile snap @{exec_path} { @{HOME}/snap/{,**} rw, /snap/{,**} rw, - owner /tmp/snapd-auto-import-mount-@{int}/ rw, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 8d6a4a49..328eab74 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -39,7 +39,7 @@ profile snap-update-ns @{exec_path} { owner /var/snap/ rw, owner /var/snap/**/ rw, - owner /tmp/.snap/{,**} rwk, + owner @{tmp}/.snap/{,**} rwk, @{run}/snapd/lock/*.lock rwk, @{run}/snapd/ns/{,**} rw, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index dc1f4d95..94fa14f0 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -73,17 +73,17 @@ profile spectre-meltdown-checker @{exec_path} { # To fetch MCE.db from the MCExtractor project @{bin}/wget rCx -> mcedb, @{bin}/sqlite3 rCx -> mcedb, - owner /tmp/mcedb-* rw, - owner /tmp/smc-* rw, - owner /tmp/{,smc-}intelfw-*/ rw, - owner /tmp/{,smc-}intelfw-*/fw.zip rw, - owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, + owner @{tmp}/mcedb-* rw, + owner @{tmp}/smc-* rw, + owner @{tmp}/{,smc-}intelfw-*/ rw, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/{config,kernel}-* rw, + owner @{tmp}/{config,kernel}-* rw, owner /dev/cpu/@{int}/cpuid r, owner /dev/cpu/@{int}/msr rw, @@ -166,8 +166,8 @@ profile spectre-meltdown-checker @{exec_path} { owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/{,smc-}mcedb-* rwk, - owner /tmp/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}mcedb-* rwk, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, /usr/share/publicsuffix/public_suffix_list.* r, diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 99d7ae84..99d05d28 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -24,7 +24,7 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner /tmp/*.ss rw, + owner @{tmp}/*.ss rw, owner @{HOME}/*.ss rw, @{PROC} r, diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 8bb4cd73..9a51396c 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -40,7 +40,7 @@ profile startx @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xserverrc r, /tmp/ r, - owner /tmp/serverauth.* rw, + owner @{tmp}/serverauth.* rw, /dev/ r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 429aca59..d370dbb2 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -139,13 +139,13 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /tmp/dumps/ rw, - owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, - owner /tmp/miles_image_* mrw, - owner /tmp/runtime-info.txt.* rwk, - owner /tmp/sh-thd.* rw, - owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner @{tmp}/dumps/ rw, + owner @{tmp}/dumps/{assert,crash}_@{int}_@{int}.dmp rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/miles_image_* mrw, + owner @{tmp}/runtime-info.txt.* rwk, + owner @{tmp}/sh-thd.* rw, + owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index d011c16c..e476bc26 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -161,10 +161,10 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/wine-*-fsync rw, - owner /tmp/.wine-@{uid}/server-*/* rwk, - owner /tmp/** rw, - owner /tmp/miles_image_* mr, - owner /tmp/pressure-vessel-*/{,**} rwl, + owner @{tmp}/.wine-@{uid}/server-*/* rwk, + owner @{tmp}/** rw, + owner @{tmp}/miles_image_* mr, + owner @{tmp}/pressure-vessel-*/{,**} rwl, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index fac7818f..44100175 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -45,9 +45,9 @@ profile steam-gameoverlayui @{exec_path} { owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /tmp/gameoverlayui.log* rw, - owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, - owner /tmp/miles_image_* mrw, + owner @{tmp}/gameoverlayui.log* rw, + owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, + owner @{tmp}/miles_image_* mrw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index a36d59d2..9852d56b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -79,13 +79,13 @@ profile strawberry @{exec_path} { /dev/shm/#@{int} rw, /dev/sr[0-9]* r, - owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, - owner /tmp/.*/ rw, - owner /tmp/.*/s rw, - owner /tmp/strawberry*[0-9] w, - owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/*= w, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, + owner @{tmp}/.*/ rw, + owner @{tmp}/.*/s rw, + owner @{tmp}/strawberry*[0-9] w, + owner @{tmp}/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/*= w, owner /var/tmp/etilqs_@{hex} rw, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index bb516789..18aafae6 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner /tmp/swtpm_setup.certs.*/ w, - owner /tmp/swtpm_setup.certs.*/*.cert rw, - owner /tmp/.swtpm_setup.pidfile* rw, + owner @{tmp}/swtpm_setup.certs.*/ w, + owner @{tmp}/swtpm_setup.certs.*/*.cert rw, + owner @{tmp}/.swtpm_setup.pidfile* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index c04232d8..36a5c985 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,7 +25,7 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - owner /tmp/** rw, + owner @{tmp}/** rw, @{PROC}/@{pids}/maps r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index f6f5025a..fb3c6077 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -46,7 +46,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner /tmp/* rw, + owner @{tmp}/* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 24cc65c1..94bba6ce 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -38,7 +38,7 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/debconf/confmodule r, - owner /tmp/file* w, + owner @{tmp}/file* w, profile tasksel-tests flags=(complain) { @@ -66,7 +66,7 @@ profile tasksel @{exec_path} flags=(complain) { # The following is needed when debconf uses dialog/whiptail frontend. @{bin}/whiptail rPx, - owner /tmp/file* w, + owner @{tmp}/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 86b064de..c63a5657 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -36,7 +36,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/terminator/{,**} rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pid}/net/tcp{,6} r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 04e67287..d27f84aa 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -126,14 +126,14 @@ profile thunderbird @{exec_path} { /tmp/ r, /var/tmp/ r, - owner /tmp/@{name}{,_*}/ rw, - owner /tmp/@{name}{,_*}/* rwk, - owner /tmp/* rw, - owner /tmp/mozilla_*/ rw, - owner /tmp/mozilla_*/* rw, - owner /tmp/MozillaMailnews/ rw, - owner /tmp/MozillaMailnews/*.msf rw, - owner /tmp/Temp-@{uuid}/ rw, + owner @{tmp}/@{name}{,_*}/ rw, + owner @{tmp}/@{name}{,_*}/* rwk, + owner @{tmp}/* rw, + owner @{tmp}/mozilla_*/ rw, + owner @{tmp}/mozilla_*/* rw, + owner @{tmp}/MozillaMailnews/ rw, + owner @{tmp}/MozillaMailnews/*.msf rw, + owner @{tmp}/Temp-@{uuid}/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index c36601b9..b69db491 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -21,7 +21,7 @@ profile thunderbird-glxtest @{exec_path} { owner @{config_dirs}/*/.parentlock rw, - owner /tmp/thunderbird/.parentlock rw, + owner @{tmp}/thunderbird/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index d5050b01..345b7a6f 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -20,7 +20,7 @@ profile thunderbird-vaapitest @{exec_path} { @{exec_path} mr, - owner /tmp/thunderbird/.parentlock rw, + owner @{tmp}/thunderbird/.parentlock rw, deny @{cache_dirs}/*/startupCache/** r, deny @{config_dirs}/*/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 889014b1..e098f55e 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -43,7 +43,7 @@ profile tint2 @{exec_path} { owner @{HOME}/.Xauthority r, - owner /tmp/tint2-@{pid}-@{int}.png rw, + owner @{tmp}/tint2-@{pid}-@{int}.png rw, # Battery applet @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index 179fdd89..5b232a00 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -40,7 +40,7 @@ profile transmission-qt @{exec_path} { owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/** rwk, - owner /tmp/tr_session_id_* rwk, + owner @{tmp}/tr_session_id_* rwk, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 1795bc6c..65ddef5e 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -51,7 +51,7 @@ profile ucf @{exec_path} flags=(complain) { /etc/ucf.conf r, /var/lib/ucf/** rw, - owner /tmp/* rw, + owner @{tmp}/* rw, /etc/default/* rw, # For md5sum diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 59bdb710..23f4e249 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -38,14 +38,14 @@ profile unmkinitramfs @{exec_path} { /boot/ r, owner /boot/initrd.img-* r, /tmp/ r, - owner /tmp/initrd.img-* r, + owner @{tmp}/initrd.img-* r, /mnt/ r, owner /mnt/initrd.img-* r, /mnt/boot/ r, owner /mnt/boot/initrd.img-* r, # To extract the content of the initrd image - owner /tmp/** rwl -> /tmp/**, + owner @{tmp}/** rwl -> /tmp/**, /var/tmp/ r, owner /var/tmp/unmkinitramfs_* rw, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 8d0f61b4..d1dba09e 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -53,7 +53,7 @@ profile update-ca-certificates @{exec_path} { / r, /tmp/ r, - owner /tmp/ca-certificates{,.crt}.tmp.* rw, + owner @{tmp}/ca-certificates{,.crt}.tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index df2b9734..7c2d4c1b 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -36,7 +36,7 @@ profile update-cracklib @{exec_path} { owner /var/cache/cracklib/{,**} rw, - owner /tmp/sort@{rand6} rw, + owner @{tmp}/sort@{rand6} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index b491f4a1..9ceb9ec4 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -28,7 +28,7 @@ profile vcsi @{exec_path} { /etc/fstab r, - owner /tmp/* rw, + owner @{tmp}/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 9ceb3fd4..b9c12955 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -51,10 +51,10 @@ profile vidcutter @{exec_path} { owner @{user_config_dirs}/vidcutter/ rw, owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int}, - owner /tmp/vidcutter-@{uuid} w, - owner /tmp/#@{int} rw, - owner /tmp/*.jpg rwl -> /tmp/#@{int}, - owner /tmp/vidcutter/{,*} rw, + owner @{tmp}/vidcutter-@{uuid} w, + owner @{tmp}/#@{int} rw, + owner @{tmp}/*.jpg rwl -> /tmp/#@{int}, + owner @{tmp}/vidcutter/{,*} rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index 21a369ad..464d5862 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,7 +18,7 @@ profile whiptail @{exec_path} flags=(complain) { /etc/newt/palette.* r, - owner /tmp/gpm* w, + owner @{tmp}/gpm* w, include if exists } diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 19f38bc9..3c10760d 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -48,7 +48,7 @@ profile wireshark @{exec_path} { owner @{HOME}/.wireshark/{,**} rw, owner @{user_config_dirs}/wireshark/{,**} rw, - owner /tmp/wireshark_extcap_ciscodump_@{int}_* rw, + owner @{tmp}/wireshark_extcap_ciscodump_@{int}_* rw, deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index 6e621d57..b961da10 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -17,7 +17,7 @@ profile wl-copy @{exec_path} { @{bin}/xdg-mime rPx, - owner /tmp/wl-copy-buffer-*/{,**} rw, + owner @{tmp}/wl-copy-buffer-*/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index c324f3b9..03c3db36 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner /tmp/wpa_ctrl_@{pid}-[0-9] rw, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index f9396ba9..6718f20c 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -24,7 +24,7 @@ profile wpa-gui @{exec_path} { /usr/share/hwdata/pnp.ids r, - owner /tmp/wpa_ctrl_@{pid}-[0-9] w, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index eb6f8f95..dccccc2b 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -56,7 +56,7 @@ profile xarchiver @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 44710efd..02ab3042 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -26,15 +26,15 @@ profile xauth @{exec_path} { owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, - owner /tmp/serverauth.*-c w, - owner /tmp/serverauth.*-l wl -> /tmp/serverauth.*-c, - owner /tmp/serverauth.*-n rw, - owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, + owner @{tmp}/serverauth.*-c w, + owner @{tmp}/serverauth.*-l wl -> /tmp/serverauth.*-c, + owner @{tmp}/serverauth.*-n rw, + owner @{tmp}/serverauth.* rwl -> /tmp/serverauth.*-n, - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6}-c w, - owner /tmp/xauth_@{rand6}-l wl, + owner @{tmp}/runtime-*/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6}-c w, + owner @{tmp}/xauth_@{rand6}-l wl, owner @{run}/user/@{uid}/xauth_@{rand6} rw, owner @{run}/user/@{uid}/xauth_@{rand6}-c w, diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 0aadf7a6..68258cae 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -16,8 +16,8 @@ profile xclip @{exec_path} { @{exec_path} mr, - owner /tmp/mutt-* rw, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/mutt-* rw, + owner @{tmp}/xauth_@{rand6} r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 8c8428d1..03ec3ff9 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -70,8 +70,8 @@ profile xinit @{exec_path} { owner @{HOME}/.xserverrc r, owner @{HOME}/.xsession-errors w, - owner /tmp/file* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/file* rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 6b065bcd..9fb9593d 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -19,7 +19,7 @@ profile xsel @{exec_path} { owner @{user_cache_dirs}/xsel.log rw, owner @{HOME}/.Xauthority r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index c2fa6162..1ce39288 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -43,7 +43,7 @@ profile zed @{exec_path} { @{run}/zed.state rwkl, @{run}/zfs-list.cache@* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 8d4a0934..2136952a 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -37,8 +37,8 @@ profile zenmap @{exec_path} { /usr/share/zenmap/** r, - owner /tmp/* rw, - owner /tmp/zenmap-stdout-* rw, + owner @{tmp}/* rw, + owner @{tmp}/zenmap-stdout-* rw, include if exists } From 3a90d82a1eb92d6f0b2eff48f00bf44b4875118c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 May 2024 22:27:00 +0100 Subject: [PATCH 23/37] feat: remove the deprecated ucf profile. --- apparmor.d/profiles-s-z/ucf | 116 ------------------------------------ 1 file changed, 116 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/ucf diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf deleted file mode 100644 index 65ddef5e..00000000 --- a/apparmor.d/profiles-s-z/ucf +++ /dev/null @@ -1,116 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucf -profile ucf @{exec_path} flags=(complain) { - include - include - - @{exec_path} r, - @{sh_path} rix, - - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/{m,g,}awk rix, - @{bin}/getopt rix, - @{bin}/id rix, - @{bin}/md5sum rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/perl rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/stat rix, - @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, - - # Do not strip env to avoid errors like the following: - # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open - # shared object file): ignored. - @{bin}/dpkg-query rpx, - # - @{bin}/dpkg-divert rPx, - - @{bin}/sensible-pager rCx -> pager, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/ucf.conf r, - /var/lib/ucf/** rw, - - owner @{tmp}/* rw, - /etc/default/* rw, - - # For md5sum - /etc/** r, - /usr/share/** r, - @{run}/** r, - - # For writing new config files - /etc/** rw, - - /usr/share/debconf/confmodule r, - - # For shell pwd - / r, - /root/ r, - - - profile pager flags=(complain) { - include - include - - @{bin}/ r, - @{bin}/sensible-pager mr, - - # For shell pwd - /root/ r, - - } - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/ucf rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - } - - include if exists -} From dfdf50a3d38c42865374c0375cf3154ca62850a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 May 2024 12:32:22 +0100 Subject: [PATCH 24/37] fix(build): add msedge to the overwritten list. --- dists/overwrite | 1 + 1 file changed, 1 insertion(+) diff --git a/dists/overwrite b/dists/overwrite index b00079b1..37db232d 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -15,6 +15,7 @@ firefox flatpak foliate loupe +msedge nautilus opera plasmashell From 9c0f4dd6a747721c756052ff93eeb31355317d25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 May 2024 12:34:08 +0100 Subject: [PATCH 25/37] fix(aa-log): grep journal logs over apparmor instead of AVC for wider compatibility. --- pkg/logs/loggers.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index a46471ac..517f038a 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -75,8 +75,8 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { } scanner = bufio.NewScanner(file) } else { - // journalctl -b -o json --grep=AVC --output-fields=MESSAGE > systemd.log - cmd := exec.Command("journalctl", "--boot", "--grep=AVC", "--output=json", "--output-fields=MESSAGE") + // journalctl -b -o json --grep=apparmor --output-fields=MESSAGE > systemd.log + cmd := exec.Command("journalctl", "--boot", "--grep=apparmor", "--output=json", "--output-fields=MESSAGE") cmd.Stdout = &stdout if err := cmd.Run(); err != nil { return nil, err From b636b4b3e91ce486d6169395db0b69c67c4c7aab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 May 2024 13:01:10 +0100 Subject: [PATCH 26/37] feat(aa-log): improve the journalctl filter. --- pkg/logs/loggers.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 517f038a..9eb8a681 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -75,8 +75,13 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { } scanner = bufio.NewScanner(file) } else { - // journalctl -b -o json --grep=apparmor --output-fields=MESSAGE > systemd.log - cmd := exec.Command("journalctl", "--boot", "--grep=apparmor", "--output=json", "--output-fields=MESSAGE") + // journalctl -b -o json -g apparmor -t kernel -t audit -t dbus-daemon --output-fields=MESSAGE > systemd.log + args := []string{ + "--boot", "--grep=apparmor", + "--identifier=kernel", "--identifier=audit", "--identifier=dbus-daemon", + "--output=json", "--output-fields=MESSAGE", + } + cmd := exec.Command("journalctl", args...) cmd.Stdout = &stdout if err := cmd.Run(); err != nil { return nil, err From 40abc982013cdff5816ee12c52f5b6e485bcaf8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 May 2024 18:16:12 +0100 Subject: [PATCH 27/37] feat(profile): general update. --- apparmor.d/abstractions/app/chromium | 6 +++--- .../abstractions/bus/org.freedesktop.RealtimeKit1 | 6 +++--- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gjs-console | 5 ----- .../groups/gnome/gnome-remote-desktop-daemon | 2 ++ apparmor.d/groups/gnome/gnome-shell | 7 +++---- apparmor.d/groups/gnome/gnome-software | 4 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gvfs/gvfsd-trash | 2 +- .../groups/pacman/archlinux-keyring-wkd-sync | 4 ++-- apparmor.d/profiles-g-l/kanyremote | 1 + apparmor.d/profiles-m-r/passimd | 2 ++ apparmor.d/profiles-s-z/snap | 14 +------------- apparmor.d/profiles-s-z/spice-vdagent | 6 ++---- apparmor.d/profiles-s-z/ssurl | 4 ++-- apparmor.d/profiles-s-z/vsftpd | 10 ++++------ 17 files changed, 31 insertions(+), 48 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 3b106c6e..34850c02 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -159,14 +159,14 @@ owner @{tmp}/tmp.*/ rw, owner @{tmp}/tmp.*/** rwk, + owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, + /dev/shm/ r, owner /dev/shm/.@{domain}* rw, @{run}/udev/data/c13:@{int} r, # for /dev/input/* - owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - @{sys}/bus/ r, @{sys}/bus/**/devices/ r, @{sys}/class/**/ r, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index a4008970..9a0fdf9f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -14,17 +14,17 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadRealtime,MakeThreadHighPriority} + member=MakeThread* peer=(name=:*, label=rtkit-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadRealtime,MakeThreadHighPriority} + member=MakeThread* peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member=MakeThreadRealtimeWithPID + member=MakeThread* peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), include if exists diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index f7219c98..95afc8fc 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -48,7 +48,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 292013a5..de2f97e6 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -39,11 +39,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 051f0afd..9c7044d0 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -11,6 +11,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include include include include @@ -19,6 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User + #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index cf93ebae..7f76ff3f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/gnome-shell profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -20,13 +19,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include - include include include include @@ -89,10 +86,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* @@ -208,6 +206,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, + / r, /.flatpak-info r, /etc/fstab r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7029d834..259ae8b2 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -29,7 +29,7 @@ profile gnome-software @{exec_path} { @{exec_path} mr, @{bin}/baobab rPUx, - @{bin}/bwrap rPUx, + @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -61,7 +61,7 @@ profile gnome-software @{exec_path} { /var/lib/flatpak/appstream/{,**} r, /var/lib/flatpak/repo/{,**} r, /var/lib/flatpak/runtime/{,**} r, - + /var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/prepared-update r, /var/lib/swcatalog/icons/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 4ef3dcfd..d06d7214 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} { ptrace (read) peer=htop, ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal + #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 459970b0..c4c22af1 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -18,7 +18,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term) peer=gdm, + signal (receive) set=(hup term) peer=gdm{,-session-worker}, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 56768040..8344c454 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -24,7 +24,7 @@ profile gvfsd-trash @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gnome-shell), + peer=(name=:*, label="{gnome-shell,nautilus}"), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 1df0cb15..78fefff1 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -20,11 +20,11 @@ profile archlinux-keyring-wkd-sync @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/dirmngr rix, - @{bin}/gpg{,2} rix, @{bin}/gpg-agent rix, + @{bin}/gpg{,2} rix, @{bin}/pacman-conf rix, /etc/pacman.conf r, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index cf6503be..b9f22923 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -101,6 +101,7 @@ profile kanyremote @{exec_path} { /usr/share/anyremote/{,**} r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 2109f7f8..2ead4d03 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -29,6 +29,8 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /var/lib/passim/{,**} r, /var/lib/passim/data/{,**} rw, + owner /var/log/passim/* rw, + @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 26859829..3d71ce76 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -31,19 +31,7 @@ profile snap @{exec_path} { #aa:dbus own bus=session name=io.snapcraft.Launcher #aa:dbus own bus=session name=io.snapcraft.Settings - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=:*, label="@{p_systemd}"), - dbus receive bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=:*, label="@{p_systemd_user}"), + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index fef063b8..5da32107 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -19,12 +19,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include + include include - include - include + include include - include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index a0e1764b..9471ab0a 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -13,8 +13,8 @@ profile ssurl @{exec_path} { include include - capability dac_read_search, - deny capability dac_override, + capability dac_read_search, + capability dac_override, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 727a1792..33915f7c 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -10,13 +10,10 @@ include @{exec_path} = @{bin}/vsftpd profile vsftpd @{exec_path} { include - include - - # Only for local users authentication include - - # For libwrap (TCP Wrapper) support (tcp_wrappers=YES) include + include + include # To be able to listen on ports < 1024 capability net_bind_service, @@ -43,7 +40,8 @@ profile vsftpd @{exec_path} { capability net_admin, capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp - include + + @{exec_path} mr, # To validate allowed users shells /etc/shells r, From 683bfed4addde2a13ba52a3d9e089b4411f2f1df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 May 2024 00:14:07 +0100 Subject: [PATCH 28/37] feat(profile): modernise some profiles. --- apparmor.d/groups/apps/calibre | 10 +-- apparmor.d/groups/apps/flameshot | 65 +++------------ apparmor.d/groups/apps/telegram-desktop | 97 ++++------------------ apparmor.d/profiles-a-f/birdtray | 73 +++++------------ apparmor.d/profiles-g-l/keepassxc | 2 - apparmor.d/profiles-m-r/megasync | 85 +++++-------------- apparmor.d/profiles-m-r/minitube | 99 +++++++---------------- apparmor.d/profiles-m-r/psi | 66 +++------------ apparmor.d/profiles-m-r/psi-plus | 65 +++------------ apparmor.d/profiles-m-r/qbittorrent-nox | 56 ++++++------- apparmor.d/profiles-m-r/qnapi | 51 +++--------- apparmor.d/profiles-m-r/qpdfview | 18 ++--- apparmor.d/profiles-m-r/qt5ct | 27 ++----- apparmor.d/profiles-s-z/scrot | 11 +-- apparmor.d/profiles-s-z/strawberry | 103 +++++++----------------- 15 files changed, 197 insertions(+), 631 deletions(-) diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index fe3867af..f252e634 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -20,17 +20,12 @@ profile calibre @{exec_path} { include include include + include include include - include - include - include - include + include include - include - include include - include include include include @@ -66,7 +61,6 @@ profile calibre @{exec_path} { @{bin}/xdg-mime rPx, /usr/share/calibre/{,**} r, - /usr/share/hwdata/pnp.ids r, /etc/fstab r, /etc/inputrc r, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index d4d16144..4e7971cd 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -10,20 +10,15 @@ include @{exec_path} = @{bin}/flameshot profile flameshot @{exec_path} { include - include - include - include + include include - include - include - include - include + include + include include include + include include include - include - include network inet dgram, network inet6 dgram, @@ -36,58 +31,24 @@ profile flameshot @{exec_path} { @{bin}/whoami rix, - @{bin}/xdg-open rCx -> open, - - # Flameshot home files - owner @{user_config_dirs}/flameshot/ rw, - owner @{user_config_dirs}/flameshot/flameshot.ini rw, - owner @{user_config_dirs}/flameshot/#@{int} rw, - owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#@{int}, - owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk, + @{open_path} rPx -> child-open-help, /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/flameshot/ rw, + owner @{user_config_dirs}/flameshot/** rwlk -> @{user_config_dirs}/flameshot/**, owner @{tmp}/.*/{,s} rw, owner @{tmp}/*= rw, owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner /dev/shm/#@{int} rw, - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /dev/shm/#@{int} rw, - - # file_inherit - owner /dev/tty@{int} rw, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 6b9fbdf7..add8fa0d 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -7,28 +7,19 @@ abi , include -@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram - @{exec_path} = @{bin}/telegram-desktop profile telegram-desktop @{exec_path} { include - include - include - include - include - include - include - include include - include - include + include + include + include + include + include include include include - include - include - include - include + include network inet dgram, network inet6 dgram, @@ -41,80 +32,26 @@ profile telegram-desktop @{exec_path} { @{sh_path} rix, - # Launch external apps - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, - # What's this for? - deny @{bin}/fc-list rx, - - # Telegram files /usr/share/TelegramDesktop/{,**} r, - # Download dir - owner @{TELEGRAM_WORK_DIR}/ rw, - owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#@{int}, - - # Telegram's profile (via telegram -many -workdir ~/some/dir/) - #owner @{TELEGRAM_WORK_DIR}/{,**} rw, - - # Autostart - owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - - owner @{tmp}/@{hex}-* rwk, - owner @{run}/user/@{uid}/@{hex}-* rwk, - - /dev/shm/#@{int} rw, - - owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - - /etc/fstab r, - /var/lib/dbus/machine-id r, /etc/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/viewnior rPUx, - @{bin}/qpdfview rPx, - @{bin}/geany rPx, + owner @{tmp}/@{hex}-* rwk, + owner @{run}/user/@{uid}/@{hex}-* rwk, + owner /dev/shm/#@{int} rw, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{TELEGRAM_WORK_DIR}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/qpdfview rPx, - @{bin}/viewnior rPUx, - @{bin}/geany rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 9104e400..972ee380 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -10,16 +10,11 @@ include @{exec_path} = @{bin}/birdtray profile birdtray @{exec_path} { include - include - include - include + include include - include - include - include - include - include + include include + include include network inet dgram, @@ -28,20 +23,13 @@ profile birdtray @{exec_path} { @{exec_path} mr, - # To be able to start Thunderbird - @{bin}/thunderbird rPx, - - @{bin}/xdg-open rCx -> open, + @{bin}/thunderbird rPx, + @{open_path} rPx -> child-open, /usr/share/ulduzsoft/birdtray/{,**} r, - owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, - - owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, - - owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w, + /var/lib/dbus/machine-id r, + /etc/machine-id r, # Thunderbird mail dirs owner @{HOME}/ r, @@ -51,47 +39,22 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/ r, owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/ulduzsoft/ rw, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + + owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, + + owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w, /dev/shm/#@{int} rw, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index ad6fe04a..aeb155df 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -42,8 +42,6 @@ profile keepassxc @{exec_path} { /usr/share/keepassxc/{,**} r, /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, owner @{HOME}/ r, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 35754db8..8f30c0c8 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -11,19 +11,14 @@ include profile megasync @{exec_path} { include include - include - include - include - include + include include - include - include + include include - include include include - include include + include network inet dgram, network inet6 dgram, @@ -40,71 +35,29 @@ profile megasync @{exec_path} { @{bin}/xrdb rPx, @{bin}/xdg-mime rPx, - @{bin}/xdg-open rCx -> open, - - # Megasync home files - owner @{HOME}/ r, - owner "@{user_share_dirs}/data/Mega Limited/" rw, - owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}", - - owner @{user_config_dirs}/QtProject.conf r, - - # Sync folder - owner @{user_sync_dirs}/ r, - owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, - - # Proc filesystem - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - /etc/fstab r, - - # Autostart - owner @{user_config_dirs}/autostart/#@{int} rw, - owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int}, - - /dev/shm/#@{int} rw, + @{open_path} rPx -> child-open, /etc/machine-id r, /var/lib/dbus/machine-id r, - /usr/share/hwdata/pnp.ids r, + owner @{HOME}/ r, - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/spacefm rPx, + owner @{user_config_dirs}/autostart/#@{int} rw, + owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int}, - # file_inherit + owner "@{user_share_dirs}/data/Mega Limited/" rw, + owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}", + + owner @{user_sync_dirs}/ r, + owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/spacefm rPx, - - # file_inherit - owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw, - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 62fd0ab9..e8e07ef4 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -10,18 +10,14 @@ include @{exec_path} = @{bin}/minitube profile minitube @{exec_path} { include - include - include - include - include - include - include - include include + include + include + include + include include - include - include include + include include include @@ -34,18 +30,33 @@ profile minitube @{exec_path} { @{exec_path} mr, - # Minitube home files + # Be able to turn off the screensaver while playing movies + @{bin}/xdg-screensaver rCx -> xdg-screensaver, + + @{open_path} rPx -> child-open, + + /usr/share/minitube/{,**} r, + + /etc/vdpau_wrapper.cfg r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/vlcsnap-.png rw, + + owner "@{user_cache_dirs}/Flavio Tordini/" rw, + owner "@{user_cache_dirs}/Flavio Tordini/Minitube/" rw, + owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**", + owner "@{user_config_dirs}/Flavio Tordini/" rw, owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#@{int}", owner "@{user_share_dirs}/Flavio Tordini/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, - # Snapshot owner @{user_pictures_dirs}/*.png rw, - owner @{HOME}/vlcsnap-.png rw, - /usr/share/minitube/{,**} r, + owner @{tmp}/qtsingleapp-minitu-* rw, + owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, @@ -53,65 +64,13 @@ profile minitube @{exec_path} { # owner @{tmp}/#@{int} mrw, # owner @{tmp}/.glvnd* mrw, - # Cache - owner @{user_cache_dirs}/ rw, - owner "@{user_cache_dirs}/Flavio Tordini/" rw, - owner "@{user_cache_dirs}/Flavio Tordini/Minitube/" rw, - owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**", + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, - deny /dev/ r, - /dev/shm/#@{int} rw, - - /etc/vdpau_wrapper.cfg r, - - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/core_pattern r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - # TMP - owner @{tmp}/qtsingleapp-minitu-* rw, - owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk, - - @{bin}/xdg-open rCx -> open, - - # Be able to turn off the screensaver while playing movies - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - profile xdg-screensaver { include include @@ -133,6 +92,8 @@ profile minitube @{exec_path} { /dev/dri/card@{int} rw, network inet stream, network inet6 stream, + + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 745f1f39..84ae5b1b 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -11,21 +11,16 @@ include profile psi @{exec_path} { include include - include + include include include - include - include - include - include + include include - include include include include include include - include network inet dgram, network inet6 dgram, @@ -38,12 +33,11 @@ profile psi @{exec_path} { @{exec_path} mr, @{bin}/aplay rCx -> aplay, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, - /usr/share/hwdata/pnp.ids r, /usr/share/psi/{,**} r, /etc/debian_version r, @@ -51,8 +45,6 @@ profile psi @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner /var/tmp/etilqs_@{hex} rw, - owner @{HOME}/ r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, @@ -64,18 +56,17 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /dev/shm/#@{int} rw, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, profile aplay { @@ -95,42 +86,7 @@ profile psi @{exec_path} { # file_inherit /dev/dri/card@{int} rw, - } - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/.gnupg/ rw, - owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, - - # file_inherit - /dev/dri/card@{int} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 2b619815..e1f78a45 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -11,21 +11,16 @@ include profile psi-plus @{exec_path} { include include - include + include include include - include - include - include - include + include include - include include include include include include - include network inet dgram, network inet6 dgram, @@ -38,12 +33,11 @@ profile psi-plus @{exec_path} { @{exec_path} mr, @{bin}/aplay rCx -> aplay, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, - /usr/share/hwdata/pnp.ids r, /usr/share/psi-plus/{,**} r, /etc/debian_version r, @@ -62,19 +56,17 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, - owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - /dev/shm/#@{int} rw, - - # file_inherit + /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, profile aplay { @@ -94,42 +86,7 @@ profile psi-plus @{exec_path} { # file_inherit /dev/dri/card@{int} rw, - } - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - # file_inherit - /dev/dri/card@{int} rw, - - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 463715e1..b6e292a0 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include + include include include @@ -22,48 +23,37 @@ profile qbittorrent-nox @{exec_path} { @{exec_path} mr, - # Qbittorrent home dirs - owner @{user_config_dirs}/qBittorrent/ rw, - owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, - owner @{user_share_dirs}/qBittorrent/ rw, - owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int}, - # Old dir, not recommended to use: - deny owner @{user_share_dirs}/data/qBittorrent/ rw, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, - # Cache dir owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, - # Torrent files - owner @{user_torrents_dirs}/ r, - owner @{user_torrents_dirs}/** rw, + owner @{user_config_dirs}/qBittorrent/ rw, + owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, + owner @{user_share_dirs}/qBittorrent/ rw, + owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int}, - /dev/disk/by-label/ r, - - /dev/shm/#@{int} rw, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/mime/mime.cache r, - /usr/share/mime/types r, - owner @{user_share_dirs}/mime/mime.cache r, - owner @{user_share_dirs}/mime/types r, - - # TMP - owner @{tmp}/qtsingleapp-qBitto-* rw, - owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + owner @{tmp}/.*/{,s} rw, owner @{tmp}/.qBittorrent/ rw, owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner @{tmp}/mozilla_*/*.torrent rw, owner @{tmp}/*.torrent rw, - owner @{tmp}/.*/{,s} rw, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/disk/by-label/ r, + /dev/shm/#@{int} rw, + + deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 61d6276b..712750a3 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -10,18 +10,13 @@ include @{exec_path} = @{bin}/qnapi profile qnapi @{exec_path} { include - include + include include - include - include - include - include + include include - include include include include - include network inet dgram, network inet6 dgram, @@ -39,12 +34,10 @@ profile qnapi @{exec_path} { @{bin}/7z rix, @{lib}/p7zip/7z rix, - @{bin}/ffprobe rPx, - @{bin}/xdg-open rCx -> open, + @{bin}/ffprobe rPx, + @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPx, - /usr/share/hwdata/pnp.ids r, - /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -60,8 +53,6 @@ profile qnapi @{exec_path} { owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{int}, - owner @{user_cache_dirs}/ rw, - /tmp/ r, owner @{tmp}/@{hex}.* rw, owner @{tmp}/** rw, @@ -73,37 +64,13 @@ profile qnapi @{exec_path} { owner @{tmp}/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, owner @{tmp}/QNapi.@{int} rw, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner /dev/shm/#@{int} rw, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner /dev/tty@{int} rw, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index fca31ff6..2ced9351 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -10,19 +10,14 @@ include @{exec_path} = @{bin}/qpdfview profile qpdfview @{exec_path} { include - include + include include - include - include - include - include + include include - include include include include include - include @{exec_path} mr, @@ -34,7 +29,6 @@ profile qpdfview @{exec_path} { @{lib}/firefox/firefox rPUx, @{open_path} rPx -> child-open, - /usr/share/hwdata/pnp.ids r, /usr/share/poppler/** r, /usr/share/djvu/** r, @@ -60,10 +54,10 @@ profile qpdfview @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/qpdfview.*.pdf rwl -> /tmp/#@{int}, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index f17f2a83..3d4d73bb 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -10,19 +10,17 @@ include @{exec_path} = @{bin}/qt5ct profile qt5ct @{exec_path} { include - include - include - include + include include - include - include - include - include - include + include include + include @{exec_path} mr, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/qt5ct/ rw, owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#@{int}, @@ -35,19 +33,8 @@ profile qt5ct @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - /usr/share/qt5ct/** r, - - /usr/share/xsessions/{,*.desktop} r, - + @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, - @{PROC}//sys/kernel/random/boot_id r, - - /etc/X11/cursors/*.theme r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /usr/share/hwdata/pnp.ids r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index e2fd09d1..f423775f 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/scrot profile scrot @{exec_path} { include + include include @{exec_path} mr, @@ -21,16 +22,10 @@ profile scrot @{exec_path} { # The image dir owner @{HOME}/*.png rw, - owner @{HOME}/.Xauthority r, - - /dev/shm/#@{int} rw, - - owner @{HOME}/.icons/default/index.theme r, - /usr/share/icons/*/index.theme r, - /usr/share/icons/*/cursors/* r, - # file_inherit owner @{HOME}/.xsession-errors w, + /dev/shm/#@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 9852d56b..efb32611 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -10,22 +10,18 @@ include @{exec_path} = @{bin}/strawberry profile strawberry @{exec_path} { include - include - include - include - include - include - include - include - include include - include + include + include + include + include + include + include + include include include - include include - include - include + include signal (send) set=(term, kill) peer=strawberry-tagreader, @@ -42,88 +38,45 @@ profile strawberry @{exec_path} { @{bin}/strawberry-tagreader rPx, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open-help, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + owner @{HOME}/ r, - # Media library owner @{user_music_dirs}/ r, owner @{user_music_dirs}/** rw, - # Playlists - owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, - owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw, - - owner @{HOME}/ r, owner @{user_config_dirs}/strawberry/ rw, owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/strawberry/ rw, owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#@{int}, owner @{user_cache_dirs}/xine-lib/ rw, owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/sys/kernel/random/boot_id r, + owner @{tmp}/.*/ rw, + owner @{tmp}/.*/s rw, + owner @{tmp}/*= w, + owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex} rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, + owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, + owner @{tmp}/strawberry*[0-9] w, + owner /dev/shm/#@{int} rw, @{run}/mount/utab r, - /etc/fstab r, - - /dev/shm/#@{int} rw, - /dev/sr[0-9]* r, - - owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, - owner @{tmp}/.*/ rw, - owner @{tmp}/.*/s rw, - owner @{tmp}/strawberry*[0-9] w, - owner @{tmp}/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, - owner @{tmp}/#@{int} rw, - owner @{tmp}/*= w, - - owner /var/tmp/etilqs_@{hex} rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.anyRemote/anyremote.stdout w, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, include if exists } From f38f1ad651f5537e9a8e6318d32513f11c965660 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 May 2024 00:21:03 +0100 Subject: [PATCH 29/37] feat(profile): improve kde profiles. --- apparmor.d/abstractions/app/chromium | 1 + .../groups/freedesktop/xdg-desktop-portal-gtk | 5 +-- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/tracker-miner | 1 + apparmor.d/groups/kde/DiscoverNotifier | 32 ++++++++++++++++-- apparmor.d/groups/kde/baloorunner | 33 +++++++++++++++++++ .../groups/kde/drkonqi-coredump-processor | 9 ++++- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kded | 2 ++ .../kde/plasma-browser-integration-host | 1 + apparmor.d/groups/kde/plasma-emojier | 25 ++++++++++++++ apparmor.d/groups/kde/plasma_waitforname | 1 + apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/startplasma | 2 ++ 14 files changed, 108 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/groups/kde/plasma-emojier diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 34850c02..c3584901 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -46,6 +46,7 @@ ptrace (read) peer=gnome-browser-connector-host, ptrace (read) peer=keepassxc-proxy, ptrace (read) peer=lsb_release, + ptrace (read) peer=plasma-browser-integration-host, ptrace (read) peer=xdg-settings, ptrace (trace) peer=@{profile_name}, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 2a2e07ca..171a7185 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -64,10 +64,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{tmp}/runtime-*/xauth_@{rand6} r, - @{run}/mount/utab r, - @{run}/user/@{uid}/xauth_@{rand6} rl, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 259ae8b2..f4e6a126 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -121,6 +121,7 @@ profile gnome-software @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, + @{tmp}/ r, owner @{tmp}/ostree-gpg-*/ r, owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index c6fd38ed..6646d69d 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -66,6 +66,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_share_dirs}/applications/ r, owner /var/tmp/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 59965425..b7fc61d2 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -13,14 +13,22 @@ profile DiscoverNotifier @{exec_path} { include include include + include network inet dgram, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink dgram, + network netlink raw, @{exec_path} mr, - @{bin}/apt-config rPx, + @{bin}/apt-config rPx, + + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, /usr/share/knotifications{5,6}/{,**} r, /usr/share/metainfo/{,**} r, @@ -28,7 +36,7 @@ profile DiscoverNotifier @{exec_path} { /etc/machine-id r, /etc/flatpak/remotes.d/{,**} r, - /var/lib/flatpak/repo/{,**} r, + /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, @@ -45,9 +53,29 @@ profile DiscoverNotifier @{exec_path} { owner @{user_share_dirs}/flatpak/{,**} rw, + owner @{tmp}/ostree-gpg-*/ rw, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{HOME}/@{XDG_GPG_DIR}/*.conf r, + + @{tmp}/ r, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + + owner @{run}/user/@{uid}/gnupg/ w, + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index ad3ef62e..b92bcd00 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,6 +28,39 @@ profile baloorunner @{exec_path} { /tmp/ r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 4b1841b1..db597a56 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -12,6 +12,9 @@ profile drkonqi-coredump-processor @{exec_path} { include include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, /etc/machine-id r, @@ -20,7 +23,11 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-1000@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/remote/ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 35d5e2cd..9e596c41 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -62,7 +62,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/drm/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 9da20954..c3701fa7 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -92,6 +92,8 @@ profile kded @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, + / r, + owner @{HOME}/.gtkrc-2.0 rw, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index a9be8644..c6a5a8d0 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -34,6 +34,7 @@ profile plasma-browser-integration-host @{exec_path} { owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma-emojier b/apparmor.d/groups/kde/plasma-emojier new file mode 100644 index 00000000..58339039 --- /dev/null +++ b/apparmor.d/groups/kde/plasma-emojier @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/plasma-emojier +profile plasma-emojier @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/plasma.emojier/{,**} rw, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/plasma.emojierrc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/plasma.emojierrc.lock rwk, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index c3515edb..ec5450de 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index b67f69f6..34d53add 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -68,6 +68,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, + /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 8dfc1a22..4171015f 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -53,6 +53,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, owner @{user_config_dirs}/plasma-localerc rwl, owner @{user_config_dirs}/plasma-localerc.lock rwk, owner @{user_config_dirs}/plasma-workspace/env/ r, @@ -60,6 +61,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/sddm/wayland-session.log rw, owner @{user_share_dirs}/sddm/xorg-session.log rw, From 9dba91296a1eb6d5652b15f69f744dd06771bc34 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 May 2024 00:24:41 +0100 Subject: [PATCH 30/37] fix: typo in abs name. --- apparmor.d/profiles-m-r/qbittorrent-nox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index b6e292a0..cc8edfd6 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include - include + include include include From d69dcad46dfa952fd50c45dd00fa7c94801ee5f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 May 2024 13:19:03 +0100 Subject: [PATCH 31/37] feat(profile): add epiphany. Fix #322 --- .../groups/browsers/ephy-profile-migrator | 22 ++++++ apparmor.d/groups/browsers/epiphany | 74 +++++++++++++++++++ dists/flags/main.flags | 3 +- 3 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/browsers/ephy-profile-migrator create mode 100644 apparmor.d/groups/browsers/epiphany diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator new file mode 100644 index 00000000..1ec92c1b --- /dev/null +++ b/apparmor.d/groups/browsers/ephy-profile-migrator @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/epiphany/ephy-profile-migrator +profile ephy-profile-migrator @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/epiphany/** rw, + owner @{user_config_dirs}/epiphany/{,**} rw, + owner @{user_share_dirs}/epiphany/.migrated{,.@{rand6}} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany new file mode 100644 index 00000000..8809be13 --- /dev/null +++ b/apparmor.d/groups/browsers/epiphany @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/epiphany +profile epiphany @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + + capability dac_override, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{exec_path} mr, + + @{bin}/bwrap rix, + @{bin}/xdg-dbus-proxy rix, + @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, + + owner /bindfile@{rand6} rw, + owner /.flatpak-info r, + + owner @{user_config_dirs}/glib-2.0/ w, + owner @{user_config_dirs}/glib-2.0/settings/ w, + + owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, + owner @{tmp}/Serialized@{rand9} rw, + owner @{tmp}/WebKit-Media-@{rand6} rw, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + /dev/video@{int} rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 976dcad5..6d69b629 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -98,6 +98,8 @@ dpkg-genbuildinfo complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain +ephy-profile-migrator complain +epiphany attach_disconnected,complain epiphany-search-provider complain epiphany-webapp-provider complain evolution-user-prompter complain @@ -396,4 +398,3 @@ xsettingsd complain xwaylandvideobridge complain YACReader attach_disconnected,mediate_deleted,complain YACReaderLibrary attach_disconnected,mediate_deleted,complain - From 06619cef0acecbe26757157123e4a0b6967a1d6b Mon Sep 17 00:00:00 2001 From: Fusion future Date: Sun, 5 May 2024 19:47:40 +0800 Subject: [PATCH 32/37] plasmashell: add flatpak mime folder (#325) It's read by the krunner plugin. --- apparmor.d/groups/kde/plasmashell | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 34d53add..2a12a244 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -85,6 +85,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/xdg/** r, /var/lib/AccountsService/icons/* r, + /var/lib/flatpak/exports/share/mime/ r, @{HOME}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, From bfd9e9e3d66117b4bd3f530f45b5be6eb470a61b Mon Sep 17 00:00:00 2001 From: Fusion future Date: Sun, 5 May 2024 19:47:59 +0800 Subject: [PATCH 33/37] plasmashell: add local wallpaper rules (#324) Allow plasmashell to access wallpapers in the cache folder and the user share folder. --- apparmor.d/groups/kde/plasmashell | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 2a12a244..172a8365 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -107,6 +107,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, + owner @{user_cache_dirs}/plasma_engine_potd/{,**} rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, @@ -166,6 +167,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, owner @{user_share_dirs}/user-places.xbel{,*} rwl, + owner @{user_share_dirs}/wallpapers/{,**} rw, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, From d544c386f7cfcefbd55657052a3f29645686b8c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 May 2024 17:42:32 +0100 Subject: [PATCH 34/37] fix(profile): ensure PAM & systemd-homed compatibility. see #321 --- apparmor.d/abstractions/app/sudo | 1 + apparmor.d/profiles-g-l/groups | 6 +----- apparmor.d/profiles-s-z/unix-chkpwd | 1 + 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index e791caea..49b742b0 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -39,6 +39,7 @@ @{etc_ro}/sudoers.d/{,*} r, / r, + /etc/machine-id r, owner /var/lib/sudo/ts/ rw, owner /var/lib/sudo/ts/@{uid} rwk, diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 79ec2587..625632e7 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -11,14 +11,10 @@ include profile groups @{exec_path} { include include + include @{exec_path} mr, - /etc/group r, - /etc/nsswitch.conf r, - - @{run}/systemd/userdb r, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 97ef4359..65fd4330 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -19,6 +19,7 @@ profile unix-chkpwd @{exec_path} { @{exec_path} mr, + /etc/machine-id r, /etc/shadow r, # systemd userdb, used in nspawn From 0ffd70319b1f4e6c7cdc714c02b86282b5bf5fe9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 May 2024 17:49:45 +0100 Subject: [PATCH 35/37] feat(tunable): add @{hex16} --- apparmor.d/groups/gnome/gnome-logs | 4 ++-- apparmor.d/groups/kde/drkonqi-coredump-processor | 4 ++-- apparmor.d/groups/systemd/journalctl | 4 ++-- apparmor.d/tunables/multiarch.d/system | 3 ++- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 4c3f5da5..5f7d01a8 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -21,9 +21,9 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-1000@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index db597a56..ac9943a5 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -24,9 +24,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-1000@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index e8659803..3793c838 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -39,10 +39,10 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, owner /{run,var}/log/journal/@{hex32}/fss wl -> /var/log/journal/@{hex32}/fss.tmp.*, owner /{run,var}/log/journal/@{hex32}/fss.tmp.* rw, owner /var/tmp/#@{int} rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 330d4fee..bf532376 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -17,7 +17,8 @@ # Hexadecimal up to 64 characters @{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{hex32}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{hex16}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{hex32}=@{hex16}@{hex16} @{hex64}=@{hex32}@{hex32} @{md5}=@{hex32} # kept for now for compatibility From 89f896a0fdd175574c25fdb94f9271866734d7e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 May 2024 18:17:52 +0100 Subject: [PATCH 36/37] feat(profile): cleanup flatpak share access. --- apparmor.d/abstractions/freedesktop.org.d/complete | 3 +++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 3 --- .../groups/gnome/gnome-control-center-goa-helper | 2 -- apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/tracker-extract | 3 --- apparmor.d/groups/kde/ksmserver | 2 -- apparmor.d/groups/kde/ksmserver-logout-greeter | 2 -- apparmor.d/groups/kde/kstart | 2 -- apparmor.d/groups/kde/plasma-browser-integration-host | 2 -- apparmor.d/groups/kde/plasmashell | 1 - apparmor.d/profiles-g-l/gtk-update-icon-cache | 10 +++------- 11 files changed, 7 insertions(+), 26 deletions(-) diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index c9f714ac..7313fbca 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -10,6 +10,9 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/ r, + /usr/share/mime/ r, /etc/gnome/defaults.list r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ade5d9f9..257ac4f0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -78,9 +78,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{,3}/greeter-dconf-defaults r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/lib/flatpak/exports/share/applications/{**,} r, - @{user_config_dirs}/kioslaverc r, owner @{tmp}/icon* rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index b858ab8e..f3c87abc 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -46,8 +46,6 @@ profile gnome-control-center-goa-helper @{exec_path} { /usr/share/cracklib/* r, /usr/share/publicsuffix/public_suffix_list.dafsa r, - /var/lib/flatpak/exports/share/icons/{,**} r, - owner @{user_config_dirs}/goa-1.0/accounts.conf r, owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7f76ff3f..8e2c7c67 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -196,7 +196,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, - /usr/share/gnome-shell/{,**} r, /usr/share/libgweather/Locations.xml r, /usr/share/libinput*/ r, /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r, @@ -205,6 +204,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, + @{system_share_dirs}/gnome-shell/{,**} r, / r, /.flatpak-info r, @@ -217,7 +217,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, - /var/lib/flatpak/exports/share/gnome-shell/{,**} r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index d9bd673b..66beccbb 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -49,9 +49,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /etc/blkid.conf r, /etc/fstab r, - /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ rw, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index cdceeb39..e38c2a1f 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -41,8 +41,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/xdg/kscreenlockerrc r, /etc/xdg/menus/ r, - /var/lib/flatpak/exports/share/mime/ r, - owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index fa8bd0b9..a13b08f3 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -30,8 +30,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { /usr/share/plasma/desktoptheme/** r, /usr/share/plasma/look-and-feel/** r, /var/lib/AccountsService/icons/ r, - /var/lib/flatpak/exports/share/icons/{,**} r, - /var/lib/flatpak/exports/share/mime/generic-icons r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index aca93c0e..1080978c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -22,8 +22,6 @@ profile kstart @{exec_path} flags=(attach_disconnected) { @{bin}/** rPUx, @{bin}/konsole rPx, - /var/lib/flatpak/exports/share/mime/ r, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index c6a5a8d0..93b11c81 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -28,8 +28,6 @@ profile plasma-browser-integration-host @{exec_path} { /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - /var/lib/flatpak/exports/share/mime/ r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 172a8365..b0f2f634 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -85,7 +85,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/xdg/** r, /var/lib/AccountsService/icons/* r, - /var/lib/flatpak/exports/share/mime/ r, @{HOME}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index 6a1a8dd5..917332e3 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -14,13 +14,9 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/icons/** r, - /usr/share/icons/**/.icon-theme.cache rw, - /usr/share/icons/**/icon-theme.cache rw, - - /var/lib/flatpak/exports/share/icons/{,**/} r, - /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw, - /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w, + @{system_share_dirs}/icons/{,**/} r, + @{system_share_dirs}/icons/**/.icon-theme.cache rw, + @{system_share_dirs}/icons/**/icon-theme.cache w, owner @{user_share_dirs}/** r, owner @{user_share_dirs}/**/.icon-theme.cache rw, From 8224ac2b3fae541f4633b883151e06b5e71cc00b Mon Sep 17 00:00:00 2001 From: Jose Maldonado <63384398+yukiteruamano@users.noreply.github.com> Date: Mon, 6 May 2024 14:16:39 -0400 Subject: [PATCH 37/37] Fix access to OpenSC configuration (#326) --- apparmor.d/groups/browsers/firefox | 1 + apparmor.d/groups/gnome/gsd-smartcard | 1 + apparmor.d/groups/gnome/seahorse | 2 ++ apparmor.d/groups/whonix/torbrowser | 3 ++- apparmor.d/profiles-m-r/pkcs11-register | 3 ++- apparmor.d/profiles-m-r/rngd | 1 + 6 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index db6c2676..224b4cc7 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -119,6 +119,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/mailcap r, /etc/mime.types r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 0b722c5a..4003d175 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -31,6 +31,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 8c89c058..8987ae31 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -36,6 +36,8 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index 760b3eda..cb63d603 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -64,6 +64,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { /etc/mailcap r, /etc/mime.types r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -163,4 +164,4 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { deny @{PROC}/@{pid}/net/route r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 19d335ea..3ca20d32 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -13,6 +13,7 @@ profile pkcs11-register @{exec_path} { @{exec_path} mr, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -21,4 +22,4 @@ profile pkcs11-register @{exec_path} { owner @{HOME}/.thunderbird/profiles.ini r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 00820b5a..b929f1a7 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -25,6 +25,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, /etc/opensc.conf r, + /etc/opensc/opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r,