diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index a0d5b08f9..5a0885143 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -29,8 +29,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/as rix, @{bin}/bc rix, @{bin}/clang-@{version} rix, - @{bin}/gcc rix, @{bin}/g++ rix, + @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @@ -44,8 +44,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{sbin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index b335650d8..67b625d62 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -28,6 +28,7 @@ profile gimp @{exec_path} { @{python_path} rix, @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, @{bin}/gimp-script-fu-interpreter-* rix, @{bin}/gjs-console rix, @{bin}/lua rix, @@ -41,6 +42,7 @@ profile gimp @{exec_path} { /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, /etc/fstab r, @@ -68,6 +70,8 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{run}/mount/utab r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b21642cf8..4bed50f13 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -81,6 +81,7 @@ profile libreoffice @{exec_path} { /etc/papersize r, /etc/xdg/* r, + /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, @@ -93,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - owner @{tmp}/ r, + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index aeb125ef2..5896df049 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -25,10 +25,10 @@ profile initramfs-hooks @{exec_path} { @{lib}/klibc/bin/fstype ix, /usr/share/mdadm/mkconf Px, - @{bin}/* r, - @{sbin}/* r, + @{bin}/* mr, + @{sbin}/* mr, @{lib}/ r, - @{lib}/** r, + @{lib}/** mr, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 8139ac68e..c922942ec 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -19,6 +19,7 @@ profile mdadm-mkconf @{exec_path} { @{sbin}/mdadm Px, /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, / r, diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 9ea391400..1d6d62e2b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -25,7 +25,7 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-caps/nvidia-cap@{int} rw, /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools r, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7b5521802..73447e33e 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 43f27b2fc..636f41754 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -30,10 +30,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 652a7d9ed..0267d6889 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,16 +20,20 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 679a0fd32..5c79d0efe 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 46b6699c8..5922c1a14 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -17,12 +17,14 @@ profile update-shells @{exec_path} { @{bin}/chmod ix, @{bin}/chown ix, @{bin}/dirname ix, - @{bin}/dpkg-realpath ix, + @{bin}/dpkg-realpath rix, @{bin}/mv ix, @{bin}/sync ix, + @{bin}/readlink ix, /usr/share/debianutils/shells r, /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, /etc/shells r, /etc/shells.tmp w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index fa17f5b1b..aed85abe3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 16a0e5a5e..0c03f4a76 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -25,6 +25,8 @@ profile whoopsie @{exec_path} { owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, + @{sys}/devices/virtual/dmi/id/product_uuid r, + include if exists }