diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index b83c2d166..14e3dfb72 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -46,7 +46,7 @@ /etc/machine-id r, /var/db/sudo/lectured/ r, - owner /var/lib/sudo/ts/ rw, + owner /var/lib/sudo/ts/ rw, owner /var/lib/sudo/ts/@{uid} rwk, owner /var/log/sudo.log wk, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index ddbf4d1de..17ea4e45a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -18,7 +18,7 @@ interface=org.freedesktop.DBus.Properties member=GetAll peer=(name="@{busname}", label=geoclue), - + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 3a2b0c591..fca42427d 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# A minimal set of rules for sandboxed programs using bwrap. +# A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: # - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 171815256..8134f8681 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -2,8 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for all electron based UI application. It works as a -# *function* and requires some variables to be provided as *arguments* and set +# Minimal set of rules for all electron based UI application. It works as a +# *function* and requires some variables to be provided as *arguments* and set # in the header of the calling profile. Example: # # @{name} = spotify diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index b3c66e035..b60e74a10 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -23,7 +23,7 @@ owner @{share_dirs}/logs/* rwk, owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/ r, - owner @{share_dirs}/steamapps/appmanifest_* rw, + owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 19ffe647e..a856cbd37 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -21,7 +21,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), /usr/{local/,}share/ r, diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index af634ff91..dd8f7b55a 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # The Direct Rendering Infrastructure (DRI) is the framework comprising the modern -# Linux graphics stack which allows unprivileged user-space programs to issue +# Linux graphics stack which allows unprivileged user-space programs to issue # commands to graphics hardware without conflicting with other programs. abi , diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 27d648247..9862ca5e7 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -13,7 +13,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), /usr/share/desktop-base/{,**} r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index c7827b599..de2adb332 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -9,7 +9,6 @@ @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, - # FIXME: not compatible with FSP mode due conflicting x modifiers @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/gstreamer-1.0/gst-plugin-scanner rix, @@ -40,7 +39,7 @@ @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c189:@{int} r, # For USB serial converters + @{run}/udev/data/c189:@{int} r, # For USB serial converters @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index c1633033f..f20c24a32 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -18,7 +18,7 @@ /usr/share/hwdata/pnp.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/lxqt/** r, - + owner @{HOME}/.Xdefaults r, owner @{user_cache_dirs}/lxqt-notificationd/* r, diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 88d75ec15..4a40e965e 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -6,12 +6,12 @@ abi , /usr/share/uim/* r, - + /var/lib/uim/* r, - + owner @{HOME}/.uim.d/customs/* r, owner @{HOME}/.XCompose r, - + owner @{run}/user/@{uid}/uim/socket/uim-helper rw, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent index e85bdcba3..be897ee9e 100644 --- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent +++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent @@ -22,7 +22,7 @@ profile akonadi_followupreminder_agent @{exec_path} { owner @{user_config_dirs}/akonadi_followupreminder_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index 465eebd33..5f37f797c 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -22,7 +22,7 @@ profile akonadi_ical_resource @{exec_path} { owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, owner @{user_share_dirs}/apps/korganizer/{,**} rw, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 37612c9ca..d1a2f008f 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -34,7 +34,7 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_config_dirs}/emailidentities* rwl, owner @{user_config_dirs}/kmail2rc r, - + owner @{tmp}/#@{int} rw, owner @{tmp}/akonadi_mailfilter_agent.* rwl, diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent index b3541299a..55fedf4ea 100644 --- a/apparmor.d/groups/akonadi/akonadi_migration_agent +++ b/apparmor.d/groups/akonadi/akonadi_migration_agent @@ -20,7 +20,7 @@ profile akonadi_migration_agent @{exec_path} { owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index f02c01819..5a2d7dd55 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -22,7 +22,7 @@ profile apt-helper @{exec_path} { profile systemctl { include include - + capability net_admin, include if exists diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index f73df39d1..12a7b3a67 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -78,7 +78,7 @@ profile apt-key @{exec_path} { @{bin}/gpg-connect-agent rix, /usr/share/gnupg/sks-keyservers.netCA.pem r, - + /etc/hosts r, /etc/inputrc r, @@ -96,7 +96,7 @@ profile apt-key @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w, - + owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index b2f72f6cd..68d0d4184 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -34,7 +34,7 @@ profile debsign @{exec_path} { @{bin}/stty rix, @{bin}/gpg{,2} rCx -> gpg, - + /etc/devscripts.conf r, owner @{HOME}/.devscripts r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index dfc578117..8681e46d8 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -108,7 +108,7 @@ profile reportbug @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 343d3e0d0..0f6273107 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -37,7 +37,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/tail ix, @{lib_dirs}/execdesktop ix, - @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{lib_dirs}/start-tor-browser Px, # torbrowser-start @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix, /usr/share/file/** r, diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor index 73a111206..57a49add7 100644 --- a/apparmor.d/groups/browsers/torbrowser-tor +++ b/apparmor.d/groups/browsers/torbrowser-tor @@ -9,7 +9,7 @@ include @{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor +@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor profile torbrowser-tor @{exec_path} { include include diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 3b8a1e143..bda678f88 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -4,7 +4,7 @@ # Profile for system dbus, regardless of the dbus implementation used. # It does not specify an attachment path as it would be the same than -# "dbus-session". It is intended to be used only via "Px ->" or via +# "dbus-session". It is intended to be used only via "Px ->" or via # systemd drop-in AppArmorProfile= setting. abi , diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 0a8d7bdab..803f28a4a 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -18,7 +18,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 315a5bf07..8681e91f4 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -9,7 +9,7 @@ # and load the the nvidia kernel module. # Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions +# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions # from other profiles. abi , diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 58847a3e3..ea21f8487 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -31,7 +31,7 @@ profile child-open-any flags=(attach_disconnected) { / r, /usr/ r, /usr/local/bin/ r, - + /dev/tty rw, include if exists diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index 8a87bd2af..ede030682 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -12,7 +12,7 @@ profile cron-cracklib @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{bin}/logger rix, @{bin}/update-cracklib rPx, diff --git a/apparmor.d/groups/cron/cron-etckeeper b/apparmor.d/groups/cron/cron-etckeeper index 28a845cfe..2029f8842 100644 --- a/apparmor.d/groups/cron/cron-etckeeper +++ b/apparmor.d/groups/cron/cron-etckeeper @@ -12,7 +12,7 @@ profile cron-etckeeper @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{bin}/rm rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-sysstat b/apparmor.d/groups/cron/cron-sysstat index 4ca22b6a1..20aaee7e5 100644 --- a/apparmor.d/groups/cron/cron-sysstat +++ b/apparmor.d/groups/cron/cron-sysstat @@ -12,7 +12,7 @@ profile cron-sysstat @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{lib}/sysstat/sa2 rPx, diff --git a/apparmor.d/groups/display-manager/lightdm-xsession b/apparmor.d/groups/display-manager/lightdm-xsession index 69a49eecf..5653b42ef 100644 --- a/apparmor.d/groups/display-manager/lightdm-xsession +++ b/apparmor.d/groups/display-manager/lightdm-xsession @@ -32,7 +32,7 @@ profile lightdm-xsession @{exec_path} { profile systemctl { include include - + owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index d2f005264..445531691 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -68,7 +68,7 @@ profile x11-xsession @{exec_path} { profile ssh-agent { include - + @{bin}/ssh-agent mr, @{sh_path} rix, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 687e0e920..cfdaeed3f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -106,7 +106,7 @@ profile xdm-xsession @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 7ca73cd63..f53f4d164 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -41,7 +41,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk, owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**, owner @{user_cache_dirs}/qtshadercache-*/* r, - + owner @{tmp}/#@{int} rw, owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index a5e27c7d1..d47b830e0 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -84,7 +84,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { /dev/fuse rw, @{att}/dev/tty@{int} rw, - + include if exists } diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index cc6645590..b7fc6a5b0 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/deja-dup/deja-dup-monitor +@{exec_path} = @{lib}/deja-dup/deja-dup-monitor profile deja-dup-monitor @{exec_path} { include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c6494c95f..9f18395f2 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -51,7 +51,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 2cdae783d..03e77816c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -73,7 +73,7 @@ profile gdm-xsession @{exec_path} { peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, - + owner @{HOME}/.xsession-errors w, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index f44f42e63..0a5abe0a9 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -78,7 +78,7 @@ profile gnome-boxes @{exec_path} { @{bin}/virsh mr, @{bin}/pkttyagent r, - + owner @{run}/user/@{uid}/libvirt/ r, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 741be7709..97309c1a7 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 20aa66cfb..00bc15f19 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -186,7 +186,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include @{bin}/bwrap mr, - + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 4695c87d4..1fa7d7050 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -70,7 +70,7 @@ profile gnome-control-center-goa-helper @{exec_path} { include @{bin}/bwrap mr, - + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 7c9a80777..f74afdeac 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -37,7 +37,7 @@ profile gnome-extension-ding @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 597a47c12..cf17391bc 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -66,7 +66,7 @@ profile gnome-session @{exec_path} { include @{bin}/flatpak mr, - + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a2627c31b..a2dd6d908 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -315,7 +315,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{run}/udev/data/n@{int} r, @{sys}/**/uevent r, @@ -374,13 +374,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile shell flags=(attach_disconnected,mediate_deleted) { include - + capability sys_ptrace, ptrace (read), @{sh_path} mr, - + @{bin}/pmap rix, @{bin}/grep rix, @@ -414,7 +414,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 357104e57..2f3e51670 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -30,7 +30,7 @@ profile gnome-shell-calendar-server @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f462894bc..a75cfee63 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -154,10 +154,10 @@ profile gnome-software @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 55e6b3736..6e8ae0d90 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -17,7 +17,7 @@ profile gsd-disk-utility-notify @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index a8dc13b19..02237d932 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -79,7 +79,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /dev/media@{int} r, /dev/video@{int} rw, - + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index aa459250b..f0dd3b46c 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -34,7 +34,7 @@ profile yelp @{exec_path} { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r, - + @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index a681f2626..c1058c158 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -16,7 +16,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1e65e2183..1b5f74ae3 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -16,7 +16,7 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index a8d7ffb35..f2b534635 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -20,7 +20,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 902bbf40e..f6f3820bb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -21,7 +21,7 @@ profile gvfsd-metadata @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 38819e872..03586b291 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -46,7 +46,7 @@ profile gvfsd-recent @{exec_path} { owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, - + owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 9c6107f6f..3a25c0a5a 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -51,7 +51,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/input/ r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 38eccd297..78375c8b2 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -17,7 +17,7 @@ profile hyprpicker @{exec_path} { owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, - + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 5a4f480a1..9a2f4c961 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -12,7 +12,7 @@ profile baloo @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index c02f3f87a..24d86bec6 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -94,7 +94,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/menus/{,applications-merged/} r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/* r, + owner @{user_config_dirs}/session/* r, owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index f7f168364..fe1c5d8da 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -81,7 +81,7 @@ profile okular @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, - owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, + owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 7f48fbec0..a09f55c4b 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -199,7 +199,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 6d4ea3f7e..ebb861971 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -27,7 +27,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, network packet raw, - + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 8dc29f568..55b5bda1a 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -13,7 +13,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include capability dac_override, - + capability net_admin, capability fowner, capability fsetid, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index e1c55c7e1..6075f14b2 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,7 +7,7 @@ abi , include @{name} = Mullvad?VPN -@{lib_dirs} = /opt/@{name} +@{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 144fd84cb..27a511dc4 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,7 +16,7 @@ profile nm-online @{exec_path} { interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged peer=(name=:*, label=NetworkManager), - + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 7bab28a22..ac29b0b28 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -79,7 +79,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability mknod, capability net_admin, - + network netlink raw, /dev/net/tun rw, diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index b8c622c6e..7539c1c7f 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -21,7 +21,7 @@ profile arch-audit @{exec_path} { network netlink raw, @{exec_path} mr, - + /etc/arch-audit/settings.toml r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 6f4672f99..d5abc07db 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -80,7 +80,7 @@ profile makepkg @{exec_path} { ptrace read, - signal send set=winch peer=pacman, + signal send set=winch peer=pacman, signal send set=winch peer=pacman//systemctl, @{bin}/pacman Px, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index b57ab746d..4884d248c 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -16,7 +16,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/mirrorlist r, /etc/pacman.d/*-mirrorlist r, - + /dev/tty@{int} rw, # Inherit Silencer diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 09529cbb0..9ee488fbc 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -55,11 +55,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { capability dac_read_search, @{bin}/pacman mr, - + @{bin}/gpg rix, @{bin}/gpgconf rix, @{bin}/gpgsm rix, - + /etc/pacman.conf r, /etc/pacman.d/{,**} r, /etc/pacman.d/gnupg/** rwkl, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 728bd84d2..287bc026a 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -35,7 +35,7 @@ profile pacman-key @{exec_path} { /usr/share/terminfo/** r, /etc/pacman.d/gnupg/* rw, - + /dev/tty rw, profile gpg { diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 237a5ff76..7e0422c5a 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -26,12 +26,12 @@ profile ssh-agent-launch @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=UpdateActivationEnvironment + member=UpdateActivationEnvironment peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member=SetEnvironment + member=SetEnvironment peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 89a19fa11..d81933f5e 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -62,7 +62,7 @@ profile coredumpctl @{exec_path} flags=(complain) { /etc/inputrc r, /etc/gdb/** r, - + owner /var/tmp/coredump-* rw, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index 5e4b33a12..f8950c1fe 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -27,7 +27,7 @@ profile systemd-cryptsetup @{exec_path} { @{run}/cryptsetup/ r, @{run}/cryptsetup/* rwk, @{run}/systemd/ask-password/* rw, - + @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd/systemd-generator-ostree index f50544f81..ce2ecaf43 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ostree +++ b/apparmor.d/groups/systemd/systemd-generator-ostree @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator +@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 105f72e46..5f60b5676 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -19,7 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { ptrace (read), - mount options=(rw rshared) -> /, + mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, umount /etc/machine-id, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 6083fc233..3e2129d39 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -27,7 +27,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/utmp rk, @{PROC}/@{pids}/stat r, - + @{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/tty@{int}/active r, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 177431f92..b4081eacb 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -18,7 +18,7 @@ profile userdbctl @{exec_path} { signal send set=cont peer=child-pager, @{exec_path} mr, - + @{pager_path} rPx -> child-pager, /etc/shadow r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index ed39c7583..cd0187119 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/apport/apport +@{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 25d136722..0121dd46d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -102,7 +102,7 @@ profile apport-gtk @{exec_path} { include @{bin}/gdb mr, - + @{bin}/iconv rix, @{bin}/* r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index abbde2455..7d797bd97 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -13,7 +13,7 @@ profile ubuntu-advantage @{exec_path} { include include include - include + include capability dac_read_search, capability setgid, diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index a27f41fc0..3192c7051 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth profile cni-bandwidth @{exec_path} { include - + network inet dgram, network inet6 dgram, network inet stream, @@ -17,7 +17,7 @@ profile cni-bandwidth @{exec_path} { network netlink raw, @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 878a09119..a6c9149d2 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -25,15 +25,15 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{exec_path}-ipam rix, / r, - + /etc/cni/net.d/{,**} r, - + /var/lib/calico/{,**} r, /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - + /usr/share/mime/globs2 r, - + @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index 30e2800ce..fd4f50df3 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -21,7 +21,7 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) { @{run}/netns/ r, @{run}/netns/cni-@{uuid} rw, - + include if exists } diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index bd0206c4c..73ad13cb1 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -18,7 +18,7 @@ profile cni-portmap @{exec_path} { @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, - + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 7487c8e70..1766cd2fb 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -76,7 +76,7 @@ profile cockpit-bridge @{exec_path} { /etc/shadow r, /etc/shells r, - / r, + / r, @{HOME}/ r, owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index c1a39a895..1de016aea 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -26,7 +26,7 @@ profile cockpit-update-motd @{exec_path} { profile systemctl { include include - + capability net_admin, capability sys_ptrace, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 74a93737b..c10f44922 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -25,7 +25,7 @@ profile virt-aa-helper @{exec_path} { @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file - + # System VM images /var/lib/libvirt/images/{,**} r, /var/lib/nova/instances/_base/* r, diff --git a/apparmor.d/groups/whonix/msgdispatcher-dispatch b/apparmor.d/groups/whonix/msgdispatcher-dispatch index 0adfe2797..5c2037c56 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-dispatch +++ b/apparmor.d/groups/whonix/msgdispatcher-dispatch @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x +@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x profile msgdispatcher-dispatch @{exec_path} { include include diff --git a/apparmor.d/groups/whonix/tor-bootstrap-check b/apparmor.d/groups/whonix/tor-bootstrap-check index 8a5d8f537..7829b8318 100644 --- a/apparmor.d/groups/whonix/tor-bootstrap-check +++ b/apparmor.d/groups/whonix/tor-bootstrap-check @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py +@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py profile tor-bootstrap-check @{exec_path} { include include diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index ccdfe2ed4..fc20ad0fb 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -32,7 +32,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/tty ix, @{bin}/whoami ix, - @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{lib_dirs}/start-tor-browser Px, # torbrowser-start @{lib}/msgcollector/msgcollector Px, @{lib}/open-link-confirmation/open-link-confirmation Px, @@ -44,11 +44,11 @@ profile torbrowser-wrapper @{exec_path} { owner @{HOME}/.tb/{,**} rw, owner @{HOME}/.xsession-errors rw, - + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/mount/utab r, - + owner @{PROC}/@{pid}/mountinfo r, profile sudo { diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 84abf8ced..8d91581cb 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -30,7 +30,7 @@ profile startxfce @{exec_path} { profile systemctl flags=(attach_disconnected) { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index c25d94526..796194146 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -57,7 +57,7 @@ profile acpi-powerbtn flags=(attach_disconnected) { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 2ad4791d7..b7e4a127b 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -80,10 +80,10 @@ profile anyremote @{exec_path} { @{bin}/convert-im6.q16 mr, /usr/share/anyremote/cfg-data/Icons/common/*.png r, - + /usr/share/ImageMagick-[0-9]/*.xml rw, /etc/ImageMagick-[0-9]/*.xml r, - + owner @{HOME}/.anyRemote/*.png rw, owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 72ee1e9dc..36ca9555f 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -47,7 +47,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/log/cron-apt/temp w, owner /var/cache/app-info/{,**} rw, owner /var/cache/swcatalog/{,**} rw, - + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/appstream-cache-*.mdb rw, owner @{user_cache_dirs}/appstream/ rw, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 15c6b71c9..dbf6c228d 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -111,7 +111,7 @@ profile borg @{exec_path} { /etc/fuse.conf r, @{MOUNTS}/ r, - @{MOUNTS}/*/ r, + @{MOUNTS}/*/ r, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor index e78420e34..af98f9fc7 100644 --- a/apparmor.d/profiles-a-f/briar-desktop-tor +++ b/apparmor.d/profiles-a-f/briar-desktop-tor @@ -14,7 +14,7 @@ profile briar-desktop-tor { network netlink raw, signal send set=term peer=briar-desktop-tor//obfs4proxy, - signal send set=term peer=briar-desktop-tor//snowflake, + signal send set=term peer=briar-desktop-tor//snowflake, owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw, owner @{HOME}/.briar/desktop/tor/.tor/lock k, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index cdf5eb0df..82742fd4a 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -59,7 +59,6 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /dev/btrfs-control rw, /dev/pts/@{int} rw, /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 3f9b15dcc..6e3b38490 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -21,7 +21,7 @@ profile cups-notifier-dbus @{exec_path} { owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner @{tmp}/cups-dbus-notifier-lockfile rwk, - + include if exists } diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index ac9984746..f65fc8349 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -95,7 +95,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, - + owner @{tmp}/*_latest_print_info w, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 3e95a05dd..a8b482788 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -27,9 +27,9 @@ profile dig @{exec_path} { owner @{HOME}/.digrc r, owner @{HOME}/batch_mode.dig r, owner @{HOME}/tsig.key r, - + /tmp/batch_mode.dig r, - + owner @{PROC}/@{pids}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 74d1ce740..53038a6d7 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -12,7 +12,7 @@ include @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} +@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} profile discord @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/discord-chrome-sandbox b/apparmor.d/profiles-a-f/discord-chrome-sandbox index 4cfefd651..0599fa486 100644 --- a/apparmor.d/profiles-a-f/discord-chrome-sandbox +++ b/apparmor.d/profiles-a-f/discord-chrome-sandbox @@ -8,7 +8,7 @@ abi , include @{name} = discord -@{lib_dirs} = /usr/share/@{name} /opt/@{name} +@{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index 00f1d8117..ffce30921 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -40,7 +40,7 @@ profile dkms-autoinstaller @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 08dad1bd2..5573aaf83 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -27,17 +27,17 @@ profile dnscrypt-proxy @{exec_path} { @{exec_path} mrix, /etc/dnscrypt-proxy/{,**} r, - + owner /etc/dnscrypt-proxy/public-resolvers.md rw, owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw, owner /etc/dnscrypt-proxy/relays.md rw, owner /etc/dnscrypt-proxy/relays.md.minisig rw, owner /etc/dnscrypt-proxy/sf-*.tmp rw, - + /var/cache/private/dnscrypt-proxy/{,**} r, /var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw, /var/cache/private/dnscrypt-proxy/sf-*.tmp rw, - + /var/log/dnscrypt-proxy/ r, /var/log/dnscrypt-proxy/*.log w, /var/log/private/dnscrypt-proxy/ rw, diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index e4a9bef28..05a900889 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -7,7 +7,7 @@ abi , include @{name} = {E,e}lement -@{lib_dirs} = @{lib}/@{name} +@{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index bcffc5b89..0c027dc2c 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -20,7 +20,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { /etc/fstab r, /etc/mtab r, - + @{PROC}/@{pids}/mountinfo r, # File Inherit diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index d91b9ac53..e332f50ca 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -3,11 +3,11 @@ # SPDX-License-Identifier: GPL-2.0-only # Default profile for all flatpak applications. Ideally, this profile should be -# generated by flatpak itself with settings from the flatpak manifest and +# generated by flatpak itself with settings from the flatpak manifest and # fully separated from bwrap. # Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order -# to separate bwrap from the sandboxed app itself. It was generating issue with +# to separate bwrap from the sandboxed app itself. It was generating issue with # zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install # some applications, flatpak needs write access to the sandbox content. This is # done through bwrap and therefore in this profile. @@ -15,7 +15,7 @@ # 1. All of this will have to be improved. However, as of today, it is the only # way to not break some (major) flatpak app. # 2. It is not a big deal as flatpak is responsible for the sandbox anyway. -# This this only defence in depth. +# This this only defence in depth. # 3. The main purpose of this profile is to ensure all processes are confined. abi , diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 7144a237a..162e3b448 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -43,7 +43,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, - + owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 637cc0970..7f14df0e0 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -27,7 +27,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /usr/share/xml/iso-codes/{,**} r, - owner @{tmp}/.@{rand6} rw, + owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 333c9f368..295cbe760 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -8,7 +8,7 @@ abi , include @{name} = {F,f}ree{T,t}ube{,-vue} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index b6ef68b0a..40dbda8c7 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -149,7 +149,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, - + owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 4d53fdf57..f599bbc1f 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -28,7 +28,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - + @{exec_path} mr, @{bin}/dbus-launch Cx -> bus, diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index dd7d3bff3..93e65f0a2 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -92,7 +92,7 @@ profile gparted @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 6cc77b9bc..e56bb5733 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -71,7 +71,7 @@ profile gpartedbin @{exec_path} { owner @{tmp}/gparted-*/ rw, @{run}/mount/utab r, - + @{PROC}/devices r, @{PROC}/partitions r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 7c960482a..f5c1ecdd6 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -72,7 +72,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, @{bin}/rfkill rPx, - @{bin}/rpm rCx -> rpm, + @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @@ -220,7 +220,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { profile systemctl flags=(attach_disconnected) { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index b3dbef04f..03c8650dd 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -14,7 +14,7 @@ profile iceauth @{exec_path} { @{exec_path} mr, owner @{tmp}/.xfsm-ICE-@{rand6} r, - owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, + owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 272679ede..074b4e735 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -41,7 +41,7 @@ profile initd-kexec @{exec_path} { profile systemctl { include include - + capability sys_resource, @{bin}/systemd-tty-ask-password-agent rix, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 97bd3bfed..eafcab799 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -153,7 +153,7 @@ profile inxi @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e27e226c5..e5c739bd5 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -28,7 +28,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { / r, /etc/default/locale r, - + /var/lib/landscape/landscape-sysinfo.cache rw, @{PROC}/loadavg r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index f98457155..7990fb27d 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -88,7 +88,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { profile pgrep { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index a1f4ced89..0fce66a96 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -23,7 +23,7 @@ profile lynx @{exec_path} { @{exec_path} mr, @{sh_path} rix, - + /usr/share/terminfo/{,**} r, /usr/share/doc/lynx-common/** r, diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index df1806311..281be7e0d 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -36,7 +36,7 @@ profile molly-guard @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 3fafd269a..26f3e2d57 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -64,7 +64,7 @@ profile mount-nfs @{exec_path} flags=(complain) { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 6a96796a7..fb1e94c1f 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -29,7 +29,7 @@ profile mutt @{exec_path} { @{sh_path} rix, @{lib}/{,sendmail/}sendmail rPUx, - @{bin}/ispell rPUx, + @{bin}/ispell rPUx, @{bin}/abook rPUx, @{bin}/mutt_dotlock rix, # Misc mutt scripts @@ -84,13 +84,13 @@ profile mutt @{exec_path} { # Used When viewing attachments owner /{var/,}tmp/* lrw, - + profile html-renderer { include @{bin}/w3m mrix, @{bin}/lynx mrix, - + owner @{HOME}/.w3m/* rw, owner @{user_mail_dirs}/{,**} r, owner @{user_mail_dirs}/tmp/{,**} rw, @@ -142,9 +142,9 @@ profile mutt @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - + owner /{var/,}tmp/mutt* lrw, - + include if exists } diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 166404dfa..ba9d813c2 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -46,7 +46,7 @@ profile popularity-contest @{exec_path} { /var/log/popularity-contest.new w, owner @{tmp}/#@{int} rw, - + @{PROC}/ r, include if exists diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 81f27c40e..4de73d718 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# To force the use of the Gnome Keyring or Kwallet secret-service, add the +# To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, # deny owner @{user_password_store_dirs}/** r, diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 6601b8169..c050ce970 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -50,7 +50,7 @@ profile resolvconf @{exec_path} { include if exists } - + include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 69e8c4d0d..c20b305e1 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -23,7 +23,7 @@ profile run-parts @{exec_path} { capability mknod, @{exec_path} mrix, - + @{sh_path} rix, @{bin}/anacron rix, @{bin}/cat rix, @@ -114,7 +114,7 @@ profile run-parts @{exec_path} { /etc/update-motd.d/ r, /etc/update-motd.d/* rCx -> motd, - # Kernel + # Kernel /etc/kernel/header_postinst.d/ r, /etc/kernel/header_postinst.d/dkms rCx -> kernel, @@ -169,7 +169,7 @@ profile run-parts @{exec_path} { @{bin}/sort rix, @{bin}/tr rix, @{bin}/uname rix, - + @{bin}/snap rPUx, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @@ -238,7 +238,7 @@ profile run-parts @{exec_path} { # For shell pwd / r, /boot/ r, - + /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, /etc/modprobe.d/ r, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index 985f124de..dab3593b6 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -48,10 +48,10 @@ profile s3fs @{exec_path} { mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - + @{bin}/fusermount{,3} mr, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 98b194fb7..4817f330a 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -7,7 +7,7 @@ abi , include @{name} = {S,s}ession -@{lib_dirs} = /opt/@{name} +@{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index e9bef6d4e..a4f89f558 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -24,7 +24,7 @@ profile snap-failure @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 79204827f..04837d871 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -32,7 +32,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher index 12138e360..0bd8c67d3 100644 --- a/apparmor.d/profiles-s-z/steam-launcher +++ b/apparmor.d/profiles-s-z/steam-launcher @@ -23,7 +23,7 @@ profile steam-launcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib_dirs}/** mr, - + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime index abf84d3c0..2a3e839ff 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -62,7 +62,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, owner @{share_dirs}/config/config.vdf{,.*} rw, - owner @{share_dirs}/steamapps/appmanifest_* rw, + owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{tmp}/ r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter index 8214a1fb9..27fe69be9 100644 --- a/apparmor.d/profiles-s-z/steamerrorreporter +++ b/apparmor.d/profiles-s-z/steamerrorreporter @@ -27,7 +27,7 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pipe r, - owner @{lib_dirs}/{,**} r, + owner @{lib_dirs}/{,**} r, owner @{runtime_dirs}/pinned_libs_{32,64}/ r, owner @{share_dirs}/ r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index b2df1a346..e1b9ab7de 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -23,7 +23,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index 598e59341..3cffb0748 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -41,7 +41,7 @@ profile task @{exec_path} { include if exists } - + include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 1ee9f0941..f4fb49f8f 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -7,7 +7,7 @@ abi , include -@{name} = thunderbird{,-bin} +@{name} = thunderbird{,-bin} @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{HOME}/.@{name}/ @{cache_dirs} = @{user_cache_dirs}/@{name}/ diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id index a26c4a263..1d6580311 100644 --- a/apparmor.d/profiles-s-z/udev-dmi-memory-id +++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/udev/dmi_memory_id +@{exec_path} = @{lib}/udev/dmi_memory_id profile udev-dmi-memory-id @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 048f2410c..bb160a5e5 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -10,11 +10,11 @@ include profile zed @{exec_path} { include include - + capability sys_admin, network netlink raw, - + @{exec_path} mr, @{bin}/{m,g,}awk rix, @@ -48,7 +48,7 @@ profile zed @{exec_path} { @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, - + @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 9ba71f45b..e28a2e439 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -10,13 +10,13 @@ include profile zfs @{exec_path} { include include - + capability sys_admin, capability dac_read_search, mount fstype=zfs, umount fstype=zfs, - + @{exec_path} mr, /etc/zfs/zfs-list.cache/{,*} rwk, diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index cbf48ba4f..799262482 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -12,7 +12,7 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) { include @{exec_path} mr, - + @{sh_path} rix, @{bin}/cat rix, @{bin}/cp rix, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 30a17a6ad..8ac23a07c 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -24,7 +24,7 @@ profile zsysd @{exec_path} flags=(complain) { /etc/hostid r, /etc/zsys.conf r, - + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/systemd/notify rw, diff --git a/tests/check.sh b/tests/check.sh index 71fc244ab..4d36c80c0 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -16,8 +16,8 @@ readonly HEADERS=( ) _die() { - echo " ✗ $*" - exit 1 + echo -e "\033[1;31m ✗ Error: \033[0m$*" + #exit 1 } _ensure_header() { @@ -46,6 +46,9 @@ _ensure_indentation() { in_profile=true first_line_after_profile=true + elif [[ "$line" =~ [[:space:]]+$ ]]; then + _die "$file:$line_number: line has trailing whitespace." + elif $in_profile; then if $first_line_after_profile; then local leading_spaces="${line%%[! ]*}" @@ -104,9 +107,10 @@ _ensure_vim() { } check_profiles() { - echo " ⋅ Checking if all profiles contain:" + echo -e "\033[1m ⋅ \033[0mChecking if all profiles contain:" echo " - apparmor.d header & license" echo " - Check indentation: 2 spaces" + echo " - Check for trailing whitespaces" echo " - 'abi ,'" echo " - 'profile '" echo " - 'include if exists '" @@ -140,9 +144,10 @@ check_profiles() { } check_abstractions() { - echo " ⋅ Checking if all abstractions contain:" + echo -e "\033[1m ⋅ \033[0mChecking if all abstractions contain:" echo " - apparmor.d header & license" echo " - Check indentation: 2 spaces" + echo " - Check for trailing whitespaces" echo " - 'abi ,'" echo " - 'include if exists '" echo " - vim:syntax=apparmor"