diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index cd7e9e8f1..175fa8b2d 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -16,6 +16,7 @@ include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 870d4cfe4..cb7edf822 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - @{sh_path} rix, + @{sh_path} r, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index ae9b4cb7f..e4d2e9a2c 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -26,9 +26,9 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rix, + @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, owner @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index ddcd99add..8765084ff 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} { +profile discord @{exec_path} flags=(attach_disconnected) { include include include @@ -31,13 +31,15 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, + @{bin}/lsb_release rPx, + @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, + /etc/ r, /etc/lsb-release r, owner @{user_videos_dirs}/{,**} rwl, @@ -52,6 +54,7 @@ profile discord @{exec_path} { owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, include if exists diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 05a900889..91de37e58 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -30,11 +30,9 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, + @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 8250cf8aa..f4284873d 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -34,10 +34,9 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> freetube//&xdg-settings, + @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, deny /dev/ r, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index dd653bd61..08b8cf7a1 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -17,7 +17,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c6d309a94..c2c81d4da 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(complain) { +profile protonmail @{exec_path} flags=(attach_disconnected) { include include include @@ -24,12 +24,13 @@ profile protonmail @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, - ptrace read peer=xdg-settings, + ptrace read peer=protonmail//&xdg-settings, @{exec_path} mrix, - @{bin}/xdg-settings Px, - @{open_path} Px -> child-open, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, + @{open_path} Px -> child-open, owner @{user_config_dirs}/ibus/bus/ r, @@ -38,7 +39,6 @@ profile protonmail @{exec_path} flags=(complain) { owner @{tmp}/gtkprint_ppd_@{rand6} rw, include if exists - } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b6a477707..0bedb90e1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,7 +21,6 @@ profile signal-desktop @{exec_path} { include include include - include include include @@ -31,31 +30,19 @@ profile signal-desktop @{exec_path} { network inet6 stream, network netlink raw, + ptrace read peer=signal-desktop//&xdg-settings, + @{exec_path} mrix, - @{bin}/getconf rix, - @{open_path} rPx -> child-open-strict, + @{lib_dirs}/chrome_crashpad_handler rix, + @{lib_dirs}/chrome-sandbox rPx, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - - audit @{lib_dirs}/chrome-sandbox rPx, - @{lib_dirs}/chrome_crashpad_handler rix, + @{open_path} rPx -> child-open-strict, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, - - /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index 5764deb77..ccff2f95f 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -17,7 +17,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index e7eabe6ec..07f67fb59 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -17,7 +17,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 3824f9526..b1c8aded2 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -18,7 +18,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 22e9a1447..a62a6847d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -75,7 +75,7 @@ deb-systemd-invoke complain debconf-escape complain decibels complain dino attach_disconnected,complain -discord complain +discord attach_disconnected,complain discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain @@ -281,8 +281,6 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain -signal-desktop attach_disconnected,complain -signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain snap complain