diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 531b1f70..256d0883 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -17,6 +17,8 @@ profile apt-config @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, + owner /tmp/tmp*/apt.conf r, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2ba7e898..f0f79875 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,21 +15,21 @@ profile apt-key @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/comm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/find rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/find rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, /{usr/,}bin/sort rix, - /{usr/,}bin/comm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, + /{usr/,}bin/touch rix, /{usr/,}bin/tr rix, /{usr/,}bin/uniq rix, /{usr/,}bin/wc rix, @@ -73,6 +74,11 @@ profile apt-key @{exec_path} { /{usr/,}bin/gpg-agent rix, /{usr/,}bin/gpg-connect-agent rix, + /usr/share/gnupg/sks-keyservers.netCA.pem r, + + /etc/hosts r, + /etc/inputrc r, + /etc/apt/.#lk0x[a-f0-9]*.@{pid} rw, /etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid}, /etc/apt/trusted.gpg{,~,.tmp} rw, @@ -86,18 +92,13 @@ profile apt-key @{exec_path} { owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, + + owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /usr/share/gnupg/sks-keyservers.netCA.pem r, - - /etc/hosts r, - /etc/inputrc r, - - # File_inherit - owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, - } include if exists diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 586947e8..f64de582 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -38,6 +38,8 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{run}/user/@{uid}/pk-debconf-socket rw, + # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fbc8821e..14c4a8a2 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, + member={PropertiesChanged,GetAll}, dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index f9a2d8e2..e0f71980 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -18,10 +18,14 @@ profile dbus-daemon-launch-helper @{exec_path} { @{exec_path} mr, - /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, + /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx, + /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, + /{usr/,}lib/software-properties/software-properties-dbus rPx, /usr/share/dbus-1/{,**} r, + /etc/dbus-1/{,**} r, + owner @{PROC}/@{pid}/oom_score_adj rw, include if exists diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 387fa938..abf16812 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -14,6 +14,7 @@ profile cron-apport @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, / r, /var/crash/ r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 8c49c484..6c761146 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -23,18 +23,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, + dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} + interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}}, + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority member={CheckAuthorization,Changed}, - dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.DBus.Properties - member={PropertiesChanged,GetAll}, - - dbus (send,receive) bus=system path=/org/freedesktop/Accounts/User[0-9]* - interface=org.freedesktop.Accounts.User - member={Changed,SetLanguage,SetInputSources}, - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll, @@ -44,14 +39,6 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { member={RequestName,GetConnectionUnixUser} peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers}, - - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.DBus.Properties - member=GetAll, - dbus bind bus=system name=org.freedesktop.Accounts, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 8eb6c1f1..c2ea3fc3 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -35,11 +35,14 @@ profile xdg-settings @{exec_path} { /usr/share/terminfo/x/xterm-256color r, /usr/share/applications/ r, + /usr/share/ubuntu/applications/ r, /etc/xdg/xfce4/helpers.rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, + /var/lib/snapd/desktop/applications/{,*} r, + owner @{HOME}/ r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config index e9821c97..eb15b149 100644 --- a/apparmor.d/groups/gnome/gdm-runtime-config +++ b/apparmor.d/groups/gnome/gdm-runtime-config @@ -12,7 +12,7 @@ profile gdm-runtime-config @{exec_path} { @{exec_path} mr, - @{run}/gdm/ r, + @{run}/gdm/ rw, @{run}/gdm/custom.conf* rw, include if exists diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index e4120665..e3655eb2 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -82,6 +82,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw, owner @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, @{PROC}/keys r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index fd6fbd6a..efbccf0f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -110,6 +110,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system + path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent + interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent + member=BeginAuthentication, + @{exec_path} mr, /{usr/,}bin/Xwayland rPx, @@ -234,7 +239,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, - @{sys}/devices/**/power_supply/**/{type,online} r, + @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 2fb705b0..602cee7a 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -37,7 +37,8 @@ profile goa-daemon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_config_dirs}/goa-1.0/accounts.conf r, + owner @{user_config_dirs}/goa-1.0/ rw, + owner @{user_config_dirs}/goa-1.0/accounts.conf* rw, include if exists } diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 7e120cf6..811fbf81 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,11 +9,22 @@ include @{exec_path} = /{usr/,}bin/seahorse profile seahorse @{exec_path} { include + include + include include include include include + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew} + peer=(name=org.freedesktop.Avahi), + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, + @{exec_path} mr, /{usr/,}bin/gpgconf rPx, @@ -21,8 +32,10 @@ profile seahorse @{exec_path} { /{usr/,}bin/gpgsm rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, - - # Seahorse and SSH keys + /usr/share/ubuntu/applications/ r, + + /var/lib/snapd/desktop/icons/ r, + owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index e09eb006..19f28dcb 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -56,9 +56,9 @@ profile gvfs-udisks2-volume-monitor @{exec_path} { owner @{PROC}/@{pid}/fdinfo/[0-9]* r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/* r, + @{PROC}/@{pids}/net/* r, @{PROC}/ r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, @{PROC}/1/cgroup r, @{PROC}/locks r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 2e9861c1..c7e81148 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,16 @@ include @{exec_path} += @{libexec}/gvfsd-dnssd profile gvfsd-dnssd @{exec_path} { include + include + include + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Ping,GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9] + interface=org.freedesktop.Avahi.ServiceBrowser + member={CacheExhausted,AllForNow}, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index c57d71de..5b6c9ab7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-network profile gvfsd-network @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index b289ed55..d9488b3d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include + include include include diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 52a4981c..31ecf983 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -92,6 +92,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/devices r, + @{PROC}/driver/nvidia/gpus/ r, /dev/ rw, /dev/** rwk, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 06d46ab6..585b841c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -13,6 +13,7 @@ profile systemd-vconsole-setup @{exec_path} { include include + capability dac_override, capability sys_ptrace, capability sys_resource, capability sys_tty_config, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 5eff6c45..5d581cdd 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -14,7 +14,7 @@ profile apt-esm-hook @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index d17f809c..42d9589e 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,8 +15,8 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/ischroot rix, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/ischroot rix, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd index 56805647..ffa188b9 100644 --- a/apparmor.d/groups/ubuntu/packagekitd +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -53,7 +53,7 @@ profile packagekitd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /usr/share/dpkg/tupletable r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index e47fbf14..ae1a42b7 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -12,10 +12,14 @@ profile release-upgrade-motd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/date rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/stat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/date rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/do-release-upgrade rPx, + + /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 51405517..ed2afd88 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -14,7 +14,7 @@ profile ubuntu-report @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, owner @{user_cache_dirs}/ubuntu-report/{,*} r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 3a947ef9..a1dab06b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -16,6 +16,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -25,9 +26,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*} - interface={org.debian{,.apt},org.freedesktop.DBus.{Introspectable,Properties}} + interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}} member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll}, dbus send bus=system path=/org/freedesktop/DBus @@ -46,9 +48,13 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member=Inhibit, + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=StateChanged, + @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/hwe-support-status rPx, /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, @@ -56,12 +62,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/uname rix, /{usr/,}lib/apt/methods/http{,s} rPx, - /usr/share/applications/{,**} r, /usr/share/distro-info/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/pixmaps/{,*} r, + /usr/share/themes/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/ubuntu/applications/{,**} r, /usr/share/update-manager/{,**} r, /usr/share/X11/{,**} r, @@ -83,6 +88,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/*.ref w, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mountinfo r, + + /dev/ptmx rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 450b1ca7..dbf9eba3 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -25,7 +25,7 @@ profile update-notifier @{exec_path} { /{usr/,}bin/ischroot rix, /{usr/,}bin/nice rix, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/pkexec rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index 3bcfb527..b3dd451d 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -23,7 +23,6 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/python3.[0-9]* r, @{libexec}/ r, /var/lib/blueman/network.state rw, diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher index eaa7512b..3f00bf98 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -12,7 +12,6 @@ profile blueman-rfcomm-watcher @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, @{libexec}/ r, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 2eed5450..3501ad8e 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -32,6 +32,7 @@ profile boltd @{exec_path} { @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/ r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{authorized,generation} r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{uevent,unique_id} r, + @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 1c98015f..631f3a22 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -59,7 +59,9 @@ profile etckeeper @{exec_path} { @{run}/resolvconf/resolv.conf r, - /tmp/etckeeper-git* rw, + owner /tmp/etckeeper-git* rw, + + owner @{PROC}/@{pid}/fd/ r, profile gpg { include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 6f6b9e29..0190d419 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/evince /{usr/,}bin/evinced +@{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced profile evince @{exec_path} { include include @@ -33,9 +33,9 @@ profile evince @{exec_path} { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/evince/{,*} rw, + owner /tmp/*.pdf r, owner /tmp/evince-*/{,**} rw, - /tmp/gtkprint* rw, - /tmp/*.pdf r, + owner /tmp/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 8d32411c..215f7ef6 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -11,6 +11,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -41,8 +42,12 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /etc/fprintd.conf r, + /var/lib/fprint/{,**} rw, + @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, + @{sys}/class/hidraw/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 29071d5c..61a9c60b 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -10,18 +10,18 @@ include profile freefall @{exec_path} { include - capability sys_nice, capability ipc_lock, capability mknod, + capability sys_nice, @{exec_path} mr, + @{sys}/devices/**/unload_heads r, + @{sys}/class/leds/**/brightness r, + /dev/freefall rw, /dev/sd[a-z]* rk, /dev/sd[a-z]*[0-9]* rk, - @{sys}/devices/**/unload_heads r, - @{sys}/class/leds/**/brightness r, - include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 4fef8e50..163d2a20 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -14,18 +14,20 @@ profile rngd @{exec_path} { @{exec_path} mr, + capability dac_read_search, capability sys_admin, capability sys_nice, - capability dac_read_search, network netlink raw, - /etc/opensc.conf r, /etc/conf.d/rngd r, + /etc/opensc.conf r, /etc/machine-id r, /var/lib/dbus/machine-id r, + @{sys}/devices/virtual/misc/hw_random/rng_available r, + @{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/write_wakeup_threshold rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 4254d9bb..ca903cf7 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -96,6 +96,7 @@ profile run-parts @{exec_path} { /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, + /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, /etc/kernel/postrm.d/ r, /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, @@ -139,6 +140,8 @@ profile run-parts @{exec_path} { include include + capability sys_module, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cat rix, @@ -180,6 +183,7 @@ profile run-parts @{exec_path} { /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, + @{run}/reboot-required w, @{run}/reboot-required.pkgs w, @{PROC}/devices r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 0dfade79..bbcb943e 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -11,6 +11,8 @@ include @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include + include + include include include include @@ -22,6 +24,19 @@ profile system-config-printer @{exec_path} flags=(complain) { network inet stream, network inet6 stream, + network netlink raw, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority + interface=org.freedesktop.PolicyKit[0-9].Authority + member=CheckAuthorization, + + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, @{exec_path} mrix, @@ -33,15 +48,21 @@ profile system-config-printer @{exec_path} flags=(complain) { /usr/share/cups/data/testprint r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/system-config-printer/{,**} r, + /usr/share/X11/xkb/{,**} r, /etc/cups/cupsd.conf r, /etc/cupshelpers/preferreddrivers.xml r, /etc/fstab r, /etc/papersize r, + /var/lib/snapd/desktop/icons/ r, + owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, + owner @{run}/@{uid}/gvfsd/socket-* rw, + @{run}/cups/cups.sock rw, + owner /tmp/* rw, owner @{PROC}/@{pid}/fd/ r,