diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 7294daab5..50de5882c 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -30,4 +30,7 @@ # Xwayland owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + /etc/X11/cursors/{,**} r, + /usr/share/X11/{,**} r, + include if exists diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk index c845a7476..b4f0b9213 100644 --- a/apparmor.d/abstractions/dbus-gtk +++ b/apparmor.d/abstractions/dbus-gtk @@ -28,7 +28,7 @@ dbus (send, receive) bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications - peer=(name="{org.freedesktop.Notifications,:*}"), + peer=(name="{org.freedesktop.Notifications,org.freedesktop.DBus,:*}"), # all members dbus (receive) bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index b580e611f..a6be314df 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -4,3 +4,10 @@ # SPDX-License-Identifier: GPL-2.0-only owner @{HOME}/.icons/default/index.theme r, + + @{system_share_dirs}/*ubuntu/applications/{**,} r, + @{system_share_dirs}/gnome/applications/{**,} r, + @{system_share_dirs}/xfce4/applications/{**,} r, + + /etc/gnome/defaults.list r, + /etc/xfce4/defaults.list r, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index 55756ea30..f138db31d 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -8,6 +8,9 @@ abi , include +@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox +@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox + @{MOZ_LIBDIR} = /{usr/,}lib/thunderbird @{MOZ_HOMEDIR} = @{HOME}/.thunderbird @{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird @@ -17,12 +20,13 @@ include profile thunderbird @{exec_path} { include include - include + include + include include + include + include include include - include - include include include include @@ -30,10 +34,9 @@ profile thunderbird @{exec_path} { include include include - include include - include include + include include include include @@ -54,28 +57,30 @@ profile thunderbird @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - dbus (send) bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RequestName peer=(name=org.freedesktop.DBus), - dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]* + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]* member={Get,MakeThreadHighPriority,MakeThreadRealtime} peer=(name=org.freedesktop.RealtimeKit[0-9]*), - dbus (send) bus=system path=/org/freedesktop/UPower + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(name=org.freedesktop.UPower), - dbus (send) bus=session path=/ca/desrt/dconf/Writer/user + dbus send bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member={Change,Notify} peer=(name=ca.desrt.dconf), - dbus (bind) bus=session + dbus bind bus=session name=org.mozilla.thunderbird.*, + deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*, + owner /tmp/dbus-[0-9a-zA-Z]* rw, @{exec_path} mrix, @@ -121,6 +126,7 @@ profile thunderbird @{exec_path} { owner @{HOME}/ r, owner @{HOME}/Mail/ rw, owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, + owner @{user_share_dirs}/ r, # Fix error in libglib while saving files as /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -143,7 +149,6 @@ profile thunderbird @{exec_path} { /usr/share/qt5ct/** r, # gnome-tiny - /etc/gnome/defaults.list r, /usr/share/gvfs/remote-volume-monitors/{,*} r, @{run}/mount/utab r, @@ -195,13 +200,12 @@ profile thunderbird @{exec_path} { /etc/timezone r, /usr/share/sounds/freedesktop/stereo/*.oga r, - /usr/share/ubuntu/applications/{,*} r, # Silencer deny /{usr/,}lib/thunderbird/** w, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-{open,mime} rCx -> open, /{usr/,}bin/exo-open rCx -> open, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @@ -213,11 +217,11 @@ profile thunderbird @{exec_path} { /{usr/,}bin/gpgsm rCx -> gpg, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/viewnior rPUx, /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, + @{FIREFOX_BIN} rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -284,21 +288,22 @@ profile thunderbird @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,m,g}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,m,g}awk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/xfce4-mime-helper rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/viewnior rPUx, /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, + @{FIREFOX_BIN} rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index 9ebee31d2..b09d5c8aa 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -53,30 +53,27 @@ include profile vlc @{exec_path} { include include - include + include include include include include + include include - include + include include + include include include - include - include - include include include include - include + include include include include - include - -# capability sys_ptrace, -# ptrace (read), + include + include signal (receive) set=(term, kill) peer=anyremote//*, @@ -86,67 +83,62 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - dbus (send) bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus), - dbus (receive) bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - member=NotificationClosed - peer=(name=:*), - - dbus (send) bus=session path=/org/a11y/bus + dbus send bus=session path=/org/a11y/bus interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.a11y.Bus), - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member={Get,RegisterStatusNotifierItem} peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierItem + dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon} peer=(name=org.freedesktop.DBus), - dbus (receive) bus=session path=/StatusNotifierItem + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member=Activate peer=(name=:*), - dbus (receive) bus=session path=/StatusNotifierItem + dbus receive bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name=:*), - dbus (send) bus=session path=/ScreenSaver + dbus send bus=session path=/ScreenSaver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), - dbus (receive) bus=session path=/MenuBar + dbus receive bus=session path=/MenuBar interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - dbus (send) bus=session path=/MenuBar + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member={LayoutUpdated,ItemsPropertiesUpdated} peer=(name=org.freedesktop.DBus), - dbus (receive) bus=session path=/MenuBar + dbus receive bus=session path=/MenuBar interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} peer=(name=:*), @@ -157,47 +149,47 @@ profile vlc @{exec_path} { dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.* - peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), # all members + peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members -# dbus (send) bus=system path=/ +# dbus send bus=system path=/ # interface=org.freedesktop.DBus.Peer # member=Ping, # peer=(name="org.freedesktop.Avahi"), - dbus (send) bus=accessibility path=/org/freedesktop/DBus + dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch} peer=(name=org.freedesktop.DBus), - dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed peer=(name=org.a11y.atspi.Registry), - dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set peer=(name=:*), - dbus (send) bus=accessibility path=/org/a11y/atspi/registry + dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents peer=(name=org.a11y.atspi.Registry), - dbus (receive) bus=accessibility path=/org/a11y/atspi/registry + dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered peer=(name=:*), - dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} peer=(name=org.a11y.atspi.Registry), - dbus (bind) bus=session + dbus bind bus=session name=org.kde.StatusNotifierItem-*, - dbus (bind) bus=session + dbus bind bus=session name=org.mpris.MediaPlayer2.vlc{,.instance*}, @{exec_path} mrix, @@ -257,6 +249,7 @@ profile vlc @{exec_path} { /etc/fstab r, /usr/share/hwdata/pnp.ids r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, # Be able to turn off the screensaver while playing movies /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, @@ -294,4 +287,4 @@ profile vlc @{exec_path} { } include if exists -} +} \ No newline at end of file diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 9faf2ba4e..0af31a95f 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -8,6 +8,7 @@ include @{exec_path} = /usr/share/command-not-found/command-not-found @{exec_path} += /{usr/,}bin/command-not-found +@{exec_path} += /{usr/,}lib/command-not-found profile command-not-found @{exec_path} { include include @@ -23,5 +24,8 @@ profile command-not-found @{exec_path} { /usr/share/command-not-found/{,**} r, + # Silencer + deny /usr/lib/ r, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 3d90db6e0..f2421d3af 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -9,7 +9,8 @@ abi , include -@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} +@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} +@{MOZ_LIBDIR} += /opt/firefox{,-esr} @{MOZ_HOMEDIR} = @{HOME}/.mozilla @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr} profile firefox @{exec_path} flags=(attach_disconnected) { @@ -17,8 +18,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include - include include + include include include include @@ -31,6 +32,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include + include + include + include capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 @@ -46,6 +50,83 @@ profile firefox @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=:*), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=SettingChanged + peer=(name=:*), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member={GetAll,Read} + peer=(name=:*), + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=EnumerateDevices + peer=(name=org.freedesktop.UPower), + + dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit + interface=org.freedesktop.PowerManagement.Inhibit + member=Inhibit + peer=(name=org.freedesktop.PowerManagement), + + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]* + member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID} + peer=(name=org.freedesktop.RealtimeKit[0-9]*), + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="{org.freedesktop.DBus,:*}"), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Playlists + member=GetPlaylists + peer=(name=:*), + + dbus receive bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.login[0-9]*.Manager + member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown} + peer=(name=:*), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=GetTreeFromDevice + peer=(name=:*), + + dbus send bus=session path=/org/mozilla/firefox/Remote + interface=org.mozilla.firefox + member=OpenURL + peer=(name=org.mozilla.firefox.* label=firefox), + + dbus receive bus=session path=/org/mozilla/firefox/Remote + interface=org.mozilla.firefox + member=OpenURL + peer=(name=:* label=firefox), + + dbus bind bus=session + name=org.mpris.MediaPlayer2.firefox.*, + + dbus bind bus=session + name=org.mozilla.firefox.*, + + deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, @@ -59,8 +140,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{libexec}/gvfsd-metadata rPx, /{usr/,}bin/browserpass rPx, - /{usr/,}bin/gpa rPUx, - /{usr/,}bin/keepassxc-proxy rPUx, + /{usr/,}bin/gpa rPx, + /{usr/,}bin/keepassxc-proxy rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/update-mime-database rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, @@ -81,6 +162,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/vlc rPx, /{usr/,}bin/xarchiver rPx, + /{usr/,}bin/evince rPx, /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/mozilla/plugins/ r, @@ -88,13 +170,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, - /usr/share/firefox/{,**} r, + /usr/share/firefox{,-esr}/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/firefox/{,**} r, + /etc/firefox{,-esr}/{,**} r, /etc/fstab r, /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, @@ -103,8 +185,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/opensc.conf r, /etc/xul-ext/kwallet5.js r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + # gnome-tiny + @{run}/mount/utab r, owner @{HOME}/ r, @@ -118,7 +200,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_cache_dirs}/ rw, @@ -130,14 +212,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, + owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw, /var/tmp/ r, /tmp/ r, owner /tmp/* rw, owner /tmp/firefox_*/ rw, owner /tmp/firefox_*/* rwk, - owner /tmp/firefox/ rw, - owner /tmp/firefox/* rwk, + owner /tmp/firefox{,-esr}/ rw, + owner /tmp/firefox{,-esr}/* rwk, owner /tmp/mozilla_*/ rw, owner /tmp/mozilla_*/* rw, owner /tmp/Temp-*/ rw, @@ -171,6 +254,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{PROC}/@{pid}/smaps r, deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/statm r, @@ -189,10 +273,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) { deny /dev/shm/ r, # Silencer - deny /{usr/,}lib/firefox/** w, + deny @{MOZ_LIBDIR}/** w, deny capability sys_ptrace, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{HOME}/.* r, + deny /tmp/MozillaUpdateLock-* w, profile open { include @@ -203,7 +288,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,m,g}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, @@ -221,6 +306,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/vlc rPx, /{usr/,}bin/xarchiver rPx, + /{usr/,}bin/evince rPx, /usr/share/xfce4/exo/exo-compose-mail rPx, owner @{HOME}/ r, @@ -230,6 +316,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # file_inherit owner @{HOME}/.xsession-errors w, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 6d73f41af..7f35caeb5 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,6 +10,7 @@ include profile engrampa @{exec_path} { include include + include include include include @@ -17,6 +18,60 @@ profile engrampa @{exec_path} { include include include + include + include + include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetId + peer=(name=org.freedesktop.DBus, label=dbus-daemon), + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member={Change,Notify} + peer=(name=ca.desrt.dconf), + + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={IsSupported,List} + peer=(name=:*), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={ListMounts2,LookupMount} + peer=(name=:*), + + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*), + + dbus receive bus=session path=/org/gtk/Application/anonymous + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/[0-9]*} + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*), @{exec_path} mr, @@ -69,9 +124,12 @@ profile engrampa @{exec_path} { /usr/share/**.desktop r, /usr/share/**/icons/**.png r, + /etc/magic r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/magic r, + # gnome-tiny + @{run}/mount/utab r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, @@ -81,15 +139,15 @@ profile engrampa @{exec_path} { /etc/fstab r, # Allowed apps to open - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/spacefm rPx, + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/ristretto rPUx, # file_inherit owner /dev/tty[0-9]* rw, - profile open { include include @@ -115,6 +173,7 @@ profile engrampa @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 52fe391b9..1d39cc94e 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -6,11 +6,15 @@ abi , include +@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox +@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox + @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { include include - include + include + include include include include @@ -20,21 +24,20 @@ profile qbittorrent @{exec_path} { include include include - include include + include include include include include include - include include + include include - include include include - signal (send) set=(term, kill) peer=qbittorrent//python3, + signal send set=(term, kill) peer=qbittorrent//python3, network inet dgram, network inet6 dgram, @@ -43,67 +46,67 @@ profile qbittorrent @{exec_path} { network netlink dgram, network netlink raw, - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem peer=(name=org.kde.StatusNotifierWatcher), - dbus (send) bus=session path=/StatusNotifierItem + dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} peer=(name=org.freedesktop.DBus), - dbus (receive) bus=session path=/StatusNotifierItem + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member=Activate peer=(name=:*), - dbus (receive) bus=session path=/StatusNotifierItem + dbus receive bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - dbus (receive) bus=session path=/MenuBar + dbus receive bus=session path=/MenuBar interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - dbus (send) bus=session path=/MenuBar + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member=ItemsPropertiesUpdated peer=(name=org.freedesktop.DBus), - dbus (receive) bus=session path=/MenuBar + dbus receive bus=session path=/MenuBar interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} peer=(name=:*), - dbus (send) bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus), - dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed peer=(name=org.a11y.atspi.Registry), - dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set peer=(name=:*), - dbus (bind) bus=session + dbus bind bus=session name=org.kde.StatusNotifierItem-*, owner /tmp/dbus-[0-9a-zA-Z]* rw, @@ -167,9 +170,6 @@ profile qbittorrent @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, - # X-tiny - owner @{run}/user/@{uid}/ICEauthority r, - # gnome-tiny /usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -186,18 +186,28 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/nautilus rPx, + @{FIREFOX_BIN} rPx, profile open { include include include - dbus (send) bus=session path=/org/gnome/{Nautilus,Totem,gedit} - interface=org.freedesktop.Application - member=Open - peer=(name="org.gnome.{Nautilus,Totem,gedit}"), + dbus send bus=session path=/org/gnome/{Nautilus,Totem,gedit} + interface=org.freedesktop.Application + member=Open + peer=(name="org.gnome.{Nautilus,Totem,gedit}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), /{usr/,}bin/xdg-open mr, @@ -210,8 +220,8 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, - /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/engrampa rPx, + @{FIREFOX_BIN} rPx, /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/{g,m,}awk rix,