diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 50de5882c..c63a6b094 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -25,7 +25,7 @@ owner @{HOME}/.Xauthority r, owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, - owner @{run}/user/@{uid}/xauth_* r, + @{run}/user/@{uid}/xauth_* rl, # Xwayland owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index b4f34d775..60d18a39d 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -4,9 +4,9 @@ abi , - owner @{HOME}/.cache/qtshadercache/ rw, - owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, - owner @{HOME}/.cache/qtshadercache/@{hex} rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], - owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw, - owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{HOME}/.cache/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/ rw, + owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index 567ba1fd0..1ebb8a13e 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -31,7 +31,7 @@ profile dbus-daemon-launch-helper @{exec_path} { /usr/share/usb-creator/usb-creator-helper rPx, /usr/share/hplip/pkservice.py rPx, - /usr/share/dbus-1/{,**} r, + /usr/share/dbus-1*/{,**} r, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index cf5a2c51a..b2d716d0d 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/geoclue +@{exec_path} = @{libexec}/geoclue @{libexec}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 23ccc75d6..87bdcd548 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -40,7 +40,7 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path}-subprocess rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icu/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index c1422f4bb..a09e2f405 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -83,7 +83,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/egl/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, - /usr/share/icu/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index f4aeb0986..9b5f38f2c 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -26,7 +26,7 @@ profile gnome-extensions-app @{exec_path} { /{usr/,}bin/gjs-console rix, /usr/share/gnome-shell/org.gnome.Extensions* r, - /usr/share/icu/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/terminfo/x/xterm-256color r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index f3c438251..dd7cd5a96 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -12,7 +12,7 @@ profile kreadconfig @{exec_path} { @{exec_path} mr, - /usr/share/icu/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /etc/xdg/kdeglobals r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 984a41a5b..56fc00efa 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/ksmserver -profile ksmserver @{exec_path} flags=(attach_disconnected) { +profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -26,6 +26,8 @@ profile ksmserver @{exec_path} flags=(attach_disconnected) { /usr/share/qt/translations/*.qm r, /usr/share/knotifications5/*.notifyrc r, + /etc/machine-id r, + owner @{HOME}/?????? rw, owner @{HOME}/.Xauthority rw, @@ -34,7 +36,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/ksmserverrc.?????? rwl, owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/ksmserverrc.lock rwk, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, @@ -43,8 +48,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, - owner @{run}/user/@{uid}/xauth_* r, - + # owner @{run}/user/@{uid}/xauth_* r, + @{run}/user/@{uid}/xauth_* rl, + @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5 index 667ec32c1..d4ff6ff78 100644 --- a/apparmor.d/groups/kde/kwalletd5 +++ b/apparmor.d/groups/kde/kwalletd5 @@ -33,7 +33,7 @@ profile kwalletd5 @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/hwdata/pnp.ids r, - /usr/share/icu/72.1/icudt72l.dat r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/qt/translations/*.qm r, /usr/share/qt5/qtlogging.ini r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f424a01ec..3b6da3740 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -41,6 +41,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl, owner @{user_cache_dirs}/qtshadercache-*/@{hex} r, + owner @{user_cache_dirs}/session/#[0-9]* rw, owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/kcminputrc r, @@ -50,6 +51,7 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrc{,.??????} rwl, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, + owner @{user_config_dirs}/session/kwin_* rwk, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 113c71abe..6624ca3b6 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -8,9 +8,10 @@ abi , include @{exec_path} = /{usr/,}bin/sddm -profile sddm @{exec_path} flags=(attach_disconnected) { +profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include include @@ -18,7 +19,7 @@ profile sddm @{exec_path} flags=(attach_disconnected) { include include include - include + include capability audit_write, capability chown, @@ -77,6 +78,7 @@ profile sddm @{exec_path} flags=(attach_disconnected) { /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/faces/.*.icon r, /usr/share/sddm/themes/** r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, /var/lib/AccountsService/icons/*.icon r, @@ -119,10 +121,13 @@ profile sddm @{exec_path} flags=(attach_disconnected) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, - @{run}/sddm/* w, + @{run}/sddm/\{@{uuid}\} rw, + # @{run}/sddm/* w, @{run}/systemd/sessions/*.ref rw, owner @{run}/sddm/ rw, owner @{run}/user/@{uid}/kwallet5.socket rw, + @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/#[0-9]* rw, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/loginuid rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index b19c8876f..ea14d61f0 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -20,20 +20,30 @@ profile sddm-greeter @{exec_path} { include include + network netlink raw, + @{exec_path} mr, - /usr/share/sddm/{,**} r, + @{libexec}/libheif/ r, + @{libexec}/libheif/*.so* rm, + /usr/share/desktop-base/softwaves-theme/login/*.svg r, + /usr/share/hwdata/pnp.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/plasma/desktoptheme/** r, /usr/share/qt5ct/** r, + /usr/share/sddm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, - /usr/share/hwdata/pnp.ids r, + /usr/share/wallpapers/{,**} r, + /usr/share/hunspell/** r, - /etc/sddm.conf.d/{,*} r, - /etc/sddm.conf r, /etc/fstab r, /etc/machine-id r, + /etc/sddm.conf r, + /etc/sddm.conf.d/{,*} r, + /etc/xdg/kdeglobals r, + /etc/xdg/plasmarc r, /var/lib/AccountsService/icons/*.icon r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/kde/startplasma-x11 b/apparmor.d/groups/kde/startplasma-x11 index 03ebeeb3b..264e260c4 100644 --- a/apparmor.d/groups/kde/startplasma-x11 +++ b/apparmor.d/groups/kde/startplasma-x11 @@ -10,6 +10,7 @@ include profile startplasma-x11 @{exec_path} { include include + include @{exec_path} mr, @@ -20,7 +21,7 @@ profile startplasma-x11 @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, - /usr/share/icu/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/knotifications5/{,**} r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, @@ -39,12 +40,13 @@ profile startplasma-x11 @{exec_path} { owner @{user_cache_dirs}/ksycoca5_* rwkl, owner @{user_cache_dirs}/plasma-svgelements rw, + owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/gtkrc rl, owner @{user_config_dirs}/gtkrc-2.0 rl, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ rw, owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, - owner @{user_config_dirs}/kdeglobals{,.??????} rwl, + owner @{user_config_dirs}/kdeglobals* rwl, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/plasma-localerc rwl, owner @{user_config_dirs}/plasma-localerc.lock rwk, @@ -56,6 +58,8 @@ profile startplasma-x11 @{exec_path} { owner /tmp/#[0-9][0-9] rw, owner /tmp/startplasma-x11.?????? rwl, + @{run}/user/@{uid}/xauth_* rl, + @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 471e3b96e..0a048455d 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -12,6 +12,7 @@ profile xdm-xsession @{exec_path} { include include include + include @{exec_path} mr, @@ -73,6 +74,7 @@ profile xdm-xsession @{exec_path} { owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, + @{run}/user/@{uid}/xauth_* rl, owner /tmp/ssh-*/ rw, owner /tmp/ssh-*/agent.* rw, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 7b7f4902f..3b9357741 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -31,8 +31,8 @@ profile xauth @{exec_path} { owner /tmp/serverauth.*-n rw, owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, - owner @{run}/user/@{uid}/xauth_?????? rw, owner /tmp/runtime-*/xauth_?????? r, + @{run}/user/@{uid}/xauth_?????? rw, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3a1465d6c..4e1bc78c1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -134,7 +134,7 @@ kauth-kded-smart-helper complain kernel-install complain kgx complain kmod attach_disconnected,complain -ksmserver attach_disconnected,complain +ksmserver attach_disconnected,mediate_deleted,complain kwin_x11 complain landscape-sysinfo complain landscape-sysinfo.wrapper complain @@ -275,7 +275,7 @@ virt-manager attach_disconnected,complain virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected virtlockd complain -virtnetworkd complain +virtnetworkd complain,attach_disconnected virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain