diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index e07bdbd99..aec6065d1 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -8,7 +8,7 @@ / r, /usr/ r, /{usr/,}bin/ r, - /{usr/,}bin/[a-z0-9]* rPUx, + /{usr/,}bin/[a-zA-Z0-9]* rPUx, # Firefox /{usr/,}lib/ r, diff --git a/apparmor.d/groups/desktop/blueman b/apparmor.d/groups/desktop/blueman index 027f633e5..2d2bb7865 100644 --- a/apparmor.d/groups/desktop/blueman +++ b/apparmor.d/groups/desktop/blueman @@ -24,6 +24,7 @@ profile blueman @{exec_path} { network bluetooth raw, ptrace (read) peer=gjs-console, + @{exec_path} mrix, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/blueman-tray rPx, diff --git a/apparmor.d/groups/desktop/dbus-run-session b/apparmor.d/groups/desktop/dbus-run-session index 8771b9f66..6f30e7d99 100644 --- a/apparmor.d/groups/desktop/dbus-run-session +++ b/apparmor.d/groups/desktop/dbus-run-session @@ -25,6 +25,10 @@ profile dbus-run-session @{exec_path} { include owner @{run}/user/[0-9]*/dconf/ rw, owner @{run}/user/[0-9]*/dconf/user rw, + /usr/share/dconf/profile/gdm r, + /var/lib/gdm/.config/dconf/user r, + + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 606f51891..01fca301f 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -9,10 +9,10 @@ include @{exec_path} = /{usr/,}lib/gdm-wayland-session profile gdm-wayland-session @{exec_path} { include + include include include include - include signal (send) set=(term) peer=dbus-run-session, signal (send) set=(term) peer=gnome-session-binary, @@ -30,6 +30,7 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/dbus-daemon rPx, /{usr/,}lib/gnome-session-binary rPx, + /etc/shells r, /etc/gdm/custom.conf r, /usr/share/gdm/gdm.schemas r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 8a8f7f2e5..a63edb9db 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -20,7 +20,7 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/gdm.schemas r, /var/lib/gdm/.cache/gdm/Xauthority rw, - owner /proc/9503/fd/ r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 02b3379ac..3b9739512 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -7,11 +7,11 @@ abi , include @{exec_path} = /etc/gdm/Xsession -profile sddm-xsession @{exec_path} { +profile gdm-xsession @{exec_path} { include + include include include - include @{exec_path} r, @@ -39,5 +39,5 @@ profile sddm-xsession @{exec_path} { } - include if exists + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 5cf1ed073..e8f36308b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,8 +9,8 @@ include @{exec_path} = /{usr/,}lib/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include + include signal (send) set=(term) peer=gsd-*, signal (receive) set=(term) peer=gdm-wayland-session, @@ -67,10 +67,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/[0-9]*/gnome-session-leader-fifo rw, owner @{run}/user/[0-9]*/ICEauthority{,-[a-z]} rwl, - @{run}/systemd/users/[0-9]* r, - @{run}/systemd/sessions/[0-9].ref rw, - @{run}/systemd/sessions/[0-9] r, @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/systemd/sessions/[0-9] r, + @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/users/[0-9]* r, @{sys}/devices/**/{vendor,device} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 4aa53cc9f..58902e912 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -69,6 +69,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/libgweather/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r, + owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, include owner @{run}/user/[0-9]*/dconf/ rw, @@ -83,6 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/[0-9]*/.mutter-Xwaylandauth.[0-9A-Z]* rw, @{run}/systemd/users/[0-9]* r, + @{run}/systemd/sessions/ r, @{run}/systemd/sessions/[0-9] r, @{run}/systemd/inhibit/[0-9]*.ref rw, @@ -120,14 +122,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, - owner @{PROC}/[0-9]*/fd/ r, - owner @{PROC}/[0-9]*/cgroup r, - owner @{PROC}/[0-9]*/mounts r, - owner @{PROC}/[0-9]*/mountinfo r, - owner @{PROC}/[0-9]*/attr/current r, - @{PROC}/[0-9]*/stat r, - @{PROC}/[0-9]*/task/[0-9]*/stat r, - @{PROC}/[0-9]*/net/* r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/stat r, + @{PROC}/@{pid}/net/* r, @{PROC}/sys/kernel/osrelease r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index ec6cb4b37..6420c8094 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -27,8 +27,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/pulse/client.conf r, - owner @{user_config_dirs}/pulse/cookie rk, owner @{user_cache_dirs}/event-sound-cache.tdb.* rwk, + owner @{user_config_dirs}/pulse//client.conf r, + owner @{user_config_dirs}/pulse/cookie rk, include owner @{run}/user/[0-9]*/dconf/ rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index a490cb132..bc47ace40 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,15 +9,16 @@ include @{exec_path} = /{usr/,}lib/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include - include + include + include include + include + include @{exec_path} mr, /{usr/,}bin/xrdb rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/drirc.d/{,*} r, /etc/xdg/Xwayland-session.d/ r, /etc/xdg/Xwayland-session.d/00-xrdb rix, @@ -30,16 +31,10 @@ profile gsd-xsettings @{exec_path} { /usr/share/dconf/profile/gdm r, /var/lib/gdm/.config/dconf/user r, - @{sys}/devices/pci[0-9]*/**/{device,vendor,uevent} r, - @{sys}/devices/pci[0-9]*/**/{subsystem_device,subsystem_vendor} r, - owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{PROC}/@{pid}/fd/ r, - /dev/dri/ r, - /dev/dri/renderD[0-9]* rw, - /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 482e7a63c..759178076 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -17,14 +17,20 @@ profile gvfsd-recent @{exec_path} { @{exec_path} mr, /usr/share/mime/mime.cache r, + # Full access to user's data + owner @{HOME}/{,**} rw, + owner /media/*/{,**} rw, + owner /mnt/*/{,**} rw, + owner @{HOME}/.zshenv r, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{HOME}/.local/share/recently-used.xbel r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{user_share_dirs}/recently-used.xbel r, owner @{run}/user/[0-9]*/gvfsd/ rw, owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw, - owner @{PROC}/81380/mountinfo r, + owner @{PROC}/@{pid}/mountinfo r, @{PROC}/sys/kernel/random/boot_id r, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/profiles-a-l/git b/apparmor.d/profiles-a-l/git index d463cb34f..b67ca527d 100644 --- a/apparmor.d/profiles-a-l/git +++ b/apparmor.d/profiles-a-l/git @@ -66,6 +66,7 @@ profile git @{exec_path} { /{usr/,}bin/meld rPUx, /{usr/,}bin/sensible-editor rCx -> editor, + /{usr/,}bin/vim rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, owner @{HOME}/.gitconfig rw, @@ -144,6 +145,7 @@ profile git @{exec_path} { include /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim mrix, /{usr/,}bin/vim.* mrix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, diff --git a/apparmor.d/profiles-m-z/sensors b/apparmor.d/profiles-m-z/sensors index 02882a777..43cf3cf77 100644 --- a/apparmor.d/profiles-m-z/sensors +++ b/apparmor.d/profiles-m-z/sensors @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -27,6 +28,7 @@ profile sensors @{exec_path} { @{sys}/devices/virtual/hwmon/hwmon[0-9]*/fan[0-9]_label r, @{sys}/devices/**/hwmon*/{,**/} r, @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, # file_inherit diff --git a/apparmor.d/profiles-m-z/xclip b/apparmor.d/profiles-m-z/xclip index 620c04233..4691894af 100644 --- a/apparmor.d/profiles-m-z/xclip +++ b/apparmor.d/profiles-m-z/xclip @@ -11,6 +11,7 @@ include @{exec_path} = /{usr/,}bin/xclip profile xclip @{exec_path} { include + network unix stream, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-z/xdg-dbus-proxy b/apparmor.d/profiles-m-z/xdg-dbus-proxy index 0e4324912..885bb868c 100644 --- a/apparmor.d/profiles-m-z/xdg-dbus-proxy +++ b/apparmor.d/profiles-m-z/xdg-dbus-proxy @@ -10,9 +10,12 @@ include profile xdg-dbus-proxy @{exec_path} flags=(complain) { include - @{exec_path} r, + @{exec_path} mr, owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, + owner @{run}/user/@{pid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw, + + /dev/dri/card[0-9]* rw, include if exists }