diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 2798b5082..777518f3d 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -61,19 +61,24 @@ owner @{user_share_dirs}/** rwkl, owner @{user_games_dirs}/{,**} rm, - owner /var/cache/tmp/** rwk, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. + @{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp rk, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index befea8bcb..6ba381b05 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -36,10 +36,13 @@ @{lib}/kde{,3,4}/plugins/*/ r, @{lib}/kde{,3,4}/plugins/*/*.so mr, + /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index f8a9700f5..3a04356f5 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -31,6 +31,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /etc/machine-id r, + /etc/xdg/plasmarc r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 51d9fdddb..6e5b5adb0 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -31,6 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + @{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index e756831f2..b704e580b 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -25,9 +25,11 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell + @{bin}/btop rPUx, @{bin}/htop rPx, @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{bin}/nvtop rPx, @{bin}/vim rUx, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index b76cff2a0..577cdd085 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -16,6 +16,7 @@ profile dolphin @{exec_path} { include include include + include include include include @@ -28,13 +29,17 @@ profile dolphin @{exec_path} { @{exec_path} mr, @{bin}/ldd rix, + @{bin}/lsb_release rPx -> lsb_release, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, + #aa:exec kioworker /usr/share/kf5/kmoretools/{,**} r, /usr/share/kio/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/misc/termcap r, /etc/fstab r, /etc/machine-id r, @@ -84,9 +89,10 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + @{run}/issue r, @{run}/mount/utab r, - owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 602b087bb..78ca6d21b 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi profile drkonqi @{exec_path} { include + include include network inet stream, @@ -22,11 +23,17 @@ profile drkonqi @{exec_path} { @{exec_path} mr, + @{bin}/lsb_release rPx -> lsb_release, + /usr/share/drkonqi/{,**} r, /usr/share/knotifications{5,6}/*.notifyrc r, + owner @{user_cache_dirs}/drkonqi/ rw, + owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, + owner @{user_config_dirs}/drkonqirc r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index b745dea62..32ad8cd86 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include + include include include include diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 6dd771859..db135515b 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -91,6 +91,7 @@ profile kioworker @{exec_path} { @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 359297e42..c6cfa9587 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -30,6 +30,14 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/libheif/** mr, @{lib}/{,@{multiarch}/}utempter/utempter rPx, + # Some CLI program can be launched directly from KDE + @{bin}/btop rPUx, + @{bin}/htop rPx, + @{bin}/micro rPUx, + @{bin}/nvtop rPx, + @{bin}/nvtop rPx, + @{bin}/vim rUx, + /usr/share/color-schemes/{,**} r, /usr/share/kf6/{,**} r, /usr/share/knotifications{5,6}/konsole.notifyrc r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 0be47a752..74020b468 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/kscreenlockerrc.lock rwk, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/plasmashellrc r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 463aec245..97ecd5c22 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -22,6 +22,7 @@ profile ksplashqml @{exec_path} { /usr/share/plasma/** r, /etc/machine-id r, + /etc/xdg/plasmarc r, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksplash/ rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index c5451f4ae..2393f9201 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -104,6 +104,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + @{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 825a28ba0..f3f37b6fd 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -59,6 +59,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /opt/**/share/icons/{,**} r, /opt/*/**/*.desktop r, /opt/*/**/*.png r, + /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, /usr/share/desktop-base/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, @@ -93,6 +94,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{MOUNTS}/ r, @{HOME}/ r, + owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_pictures_dirs}/{,**} r, @@ -186,6 +188,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @@ -205,6 +208,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{PROC}/ r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/diskstats r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index ffcf93783..384c1da8b 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -9,7 +9,10 @@ include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include + include include + include + include include include include @@ -22,7 +25,9 @@ profile systemsettings @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/cat rix, + @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, @{bin}/lspci rPx, @{bin}/openssl rix, @@ -38,7 +43,8 @@ profile systemsettings @{exec_path} { /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kglobalaccel/* r, /usr/share/kinfocenter/{,**} r, - /usr/share/kinfocenter/{,**} r, + /usr/share/knotifications{5,6}/{,**} r, + /usr/share/solid/{,**} r, /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, @@ -46,9 +52,9 @@ profile systemsettings @{exec_path} { /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, - /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, /usr/share/wallpapers/{,**} r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -56,10 +62,19 @@ profile systemsettings @{exec_path} { /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, + /etc/xdg/* r, + + /var/cache/cracklib/cracklib_dict.* r, + /var/cache/samba/ rw, + /var/lib/AccountsService/icons/* r, + /var/lib/flatpak/repo/{,**} r, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/kinfocenter/{,**} rwl, + owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, + owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, owner @{user_cache_dirs}/ksvg-elements rw, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, @@ -69,22 +84,24 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, owner @{user_config_dirs}/{P,p}lasma* r, + owner @{user_config_dirs}/*rc r, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, + owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/kactivitymanagerdrc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, - owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/kxkbrc r, + owner @{user_config_dirs}/libaccounts-glib/ rw, + owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/baloo/index r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, @@ -98,12 +115,25 @@ profile systemsettings @{exec_path} { owner @{user_share_dirs}/systemsettings/** rwlk, owner @{user_share_dirs}/wallpapers/{,**} r, + owner @{run}/user/@{uid}/#@{int} rw, + + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{sys}/bus/ r, + @{sys}/bus/acpi/devices/ r, @{sys}/bus/cpu/devices/ r, @{sys}/class/ r, + @{sys}/firmware/acpi/pm_profile r, + @{PROC}/interrupts r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + /dev/ r, + /dev/bus/usb/ r, + /dev/input/ r, + /dev/rfkill r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge index 0f6aeb48a..f5139eb13 100644 --- a/apparmor.d/groups/kde/xwaylandvideobridge +++ b/apparmor.d/groups/kde/xwaylandvideobridge @@ -20,6 +20,8 @@ profile xwaylandvideobridge @{exec_path} { owner @{user_cache_dirs}/xwaylandvideobridge/ rw, owner @{user_cache_dirs}/xwaylandvideobridge/** rwk, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + include if exists } diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index fa4e0a5d5..5be9abb71 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -20,7 +20,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{bin}/dnsmasq rPx, - /etc/libvirt/libvirt.conf r, + /etc/libvirt/*.conf r, owner /var/lib/libvirt/dnsmasq/*.macs* rw, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 38f84a8eb..7e2c76c92 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -29,8 +29,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/*.ids r, /usr/share/pci.ids r, - /etc/libvirt/libvirt.conf r, - /etc/libvirt/virtnodedevd.conf r, + /etc/libvirt/*.conf r, /etc/mdevctl.d/{,**} r, @{run}/systemd/inhibit/@{int}.ref rw, @@ -64,6 +63,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information @@ -90,6 +90,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/mtrr w, + owner @{PROC}/uptime r, include if exists } diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 7130edfa6..3ef20199d 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -25,8 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper - /etc/libvirt/**/ r, - /etc/libvirt/libvirt.conf r, + /etc/libvirt/{,**} r, # For disk images @{MOUNTS}/ r, diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index 71823cb4c..30c03508a 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -25,6 +25,7 @@ profile aa-enforce @{exec_path} { /etc/apparmor.d/{,**} rw, @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw, owner /var/lib/snapd/apparmor/{,**} rw, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 58d4713bd..8f3a15fc6 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -57,6 +57,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @{run}/parent/app/** rmix, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 4315fb6e5..0e236f945 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -58,7 +58,7 @@ profile keepassxc @{exec_path} { owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, - owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r, + owner @{user_config_dirs}/keepassxcrc r, # Database locations owner @{user_cache_dirs}/keepassxc/ rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 4b9812c55..60ea019aa 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -12,12 +12,14 @@ profile libreoffice @{exec_path} { include include include + include include include include include include include + include include include include @@ -59,21 +61,28 @@ profile libreoffice @{exec_path} { @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w, /usr/share/hyphen/{,**} r, + /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/libexttextcat/{,**} r, /usr/share/liblangtag/{,**} r, /usr/share/libreoffice/{,**} r, /usr/share/mythes/{,**} r, + /usr/share/thumbnailers/{,**} r, /etc/java-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + /etc/xdg/* r, owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/trashrc r, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, + owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/kcminputrc r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/user-places.xbel r, owner @{tmp}/ r, owner @{tmp}/@{rand6} rwk, @@ -83,6 +92,8 @@ profile libreoffice @{exec_path} { owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{run}/user/@{uid}/#@{int} rw, + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, @{sys}/kernel/mm/hugepages/ r, @@ -95,6 +106,7 @@ profile libreoffice @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 6f4e290d6..6f01bc8f0 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -46,6 +46,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { @{run}/ r, @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/?@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index ad57f8615..c5e741b8f 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -36,6 +36,7 @@ profile xauth @{exec_path} { owner @{tmp}/xauth_@{rand6} r, owner @{tmp}/xauth_@{rand6}-c w, owner @{tmp}/xauth_@{rand6}-l wl, + owner @{tmp}/xauth.@{rand10}-c w, owner @{run}/user/@{uid}/xauth_@{rand6} rw, owner @{run}/user/@{uid}/xauth_@{rand6}-c w,