diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 73b2e4580..8c74d1f08 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -60,6 +60,8 @@ # Backup @{lib}/deja-dup/deja-dup-monitor PUx, + @{bin}/gnome-session-quit rPx, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 602651587..73cb82070 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -98,6 +98,7 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/remote-settings-startup-bundle- w, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index d15d5c5ba..feaced7c3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -5,6 +5,10 @@ abi , #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + dbus send bus=system path=/org/freedesktop/GeoClue2/Agent + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label=geoclue), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index f2201bd64..cc802ef06 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -34,8 +34,7 @@ dbus bus=session, dbus bus=system, - /usr/cache/** r, - /usr/local/{,**} r, + /usr/** r, /usr/share/** rk, /etc/{,**} r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 10655740a..7fc20c293 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -32,7 +32,7 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - #owner /tmp/orcexec.* mrw, + owner @{tmp}/orcexec.@{rand6} mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index c4410d026..9481d4fec 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -8,7 +8,7 @@ mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{bin}/xdg-dbus-proxy rix, + @{bin}/xdg-dbus-proxy rix, # TODO: stack me @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -26,6 +26,8 @@ owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/firmware/acpi/pm_profile r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 139b03450..28d15cf76 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -11,6 +11,7 @@ owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/** rwk, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw,