diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox index 98ebf5b62..f32af44ca 100644 --- a/apparmor.d/groups/browsers/chromium-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/chromium/chrome-sandbox -profile chromium-sandbox @{exec_path} { +profile chromium-sandbox @{exec_path} flags=(attach_disconnected) { include capability dac_override, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index ccebcad74..790f03be3 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,dconf/}dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include + include include include @@ -38,8 +39,6 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index f10e80d7f..773122f57 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -37,7 +37,6 @@ profile startplasma @{exec_path} { /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, - /etc/locale.alias r, /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index 77ac07045..b30da1c13 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,6 +13,10 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 997b81fb5..9a50dafa0 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -54,7 +54,7 @@ profile thunderbird @{exec_path} { owner @{tmp}/MozillaMailnews/*.msf rw, owner @{tmp}/nscopy.tmp rw, owner @{tmp}/nsemail{,-@{int}}.eml rw, - owner @{tmp}/nsma rw, + owner @{tmp}/nsma{,-@{int}} rw, owner @{tmp}/pid-@{pid}/{,**} w, /dev/urandom w, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index af5f67061..0378e62fc 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -29,27 +29,27 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/systemctl rCx -> systemctl, - @{bin}/logger rix, @{sh_path} rix, - @{bin}/cp rix, - @{bin}/chmod rix, - @{bin}/flock rix, - @{bin}/sort rix, - @{bin}/head rix, - @{bin}/mktemp rix, - @{bin}/readlink rix, - @{bin}/tr rix, - @{bin}/ethtool rix, - @{bin}/grep rix, - @{bin}/touch rix, @{bin}/cat rix, - @{bin}/rm rix, + @{bin}/chmod rix, + @{bin}/cp rix, + @{bin}/ethtool rix, + @{bin}/flock rix, + @{bin}/grep rix, + @{bin}/hdparm rPx, + @{bin}/head rix, @{bin}/id rPx, @{bin}/iw rPx, - @{bin}/hdparm rPx, + @{bin}/logger rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sort rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/udevadm rCx -> udevadm, @{bin}/uname rpx, - @{bin}/udevadm rCx -> udevadm, /usr/share/tlp/tlp-readconfs rix, / r, @@ -58,14 +58,16 @@ profile tlp @{exec_path} flags=(attach_disconnected) { /etc/tlp.d/** rw, /etc/tlp.conf rw, - /usr/share/tlp/** r, + /usr/share/tlp/{,**} r, + /var/lib/tlp/{,**} rw, /var/lib/power-profiles-daemon/state.ini rw, - @{run}/udev/data/+platform:* r, - owner @{run}/tlp/* rw, + owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, + @{run}/udev/data/+platform:* r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, @{sys}/module/pcie_aspm/parameters/policy rw, @{sys}/module/snd_hda_intel/parameters/power_save rw, @@ -73,11 +75,10 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, - owner @{PROC}/sys/vm/laptop_mode rw, - owner @{PROC}/sys/vm/dirty_writeback_centisecs rw, - owner @{PROC}/sys/vm/dirty_expire_centisecs rw, owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, owner @{PROC}/sys/kernel/nmi_watchdog rw, + owner @{PROC}/sys/vm/dirty_*_centisecs rw, + owner @{PROC}/sys/vm/laptop_mode rw, /dev/disk/by-id/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index a6ccb7e2d..2a39981df 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/transmission-{gtk,qt} -profile transmission @{exec_path} { +profile transmission @{exec_path} flags=(attach_disconnected) { include include include