diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index abf116a41..8eabdeeee 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -7,14 +7,15 @@ abi , include @{exec_path} = /{usr/,}bin/plymouth-set-default-theme -profile plymouth-set-default-theme @{exec_path} { +profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/plymouth rPx, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/plymouth rPx, + /{usr/,}bin/{,ba,da}sh rix, /etc/plymouth/{,*} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index b1e1d39d8..9c702149d 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -30,6 +30,10 @@ profile plymouthd @{exec_path} { /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, + /var/lib/plymouth/{,**} rw, + + @{run}/plymouth/{,**} rw, + @{run}/udev/data/+drm:* r, @{run}/udev/data/c226:* r, @{run}/udev/data/c29:* r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 611f2e2b2..96471bdb5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -18,6 +18,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index a8789538f..c6ea079e8 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -123,6 +123,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/input/ r, @{sys}/devices/**/{name,vendor,product,uevent} r, + @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/**/uevent r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f6931ba90..de80727b8 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -22,6 +22,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 938d6f331..a8ce89742 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -24,6 +24,7 @@ profile tracker-extract @{exec_path} { @{exec_path} mr, /usr/share/applications/*.desktop r, + /usr/share/applications/mimeinfo.cache r, /usr/share/dconf/profile/gdm r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/*.ids r, @@ -40,6 +41,7 @@ profile tracker-extract @{exec_path} { /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/*.desktop r, # Allow to search user files diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index be5b456ee..c7ead87f0 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -13,6 +13,11 @@ profile networkd-dispatcher @{exec_path} { include include + dbus receive bus=system path=/org/freedesktop/network1/link/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*), + @{exec_path} mr, /{usr/,}bin/ r, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 517637e3d..f99affdd4 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -11,9 +11,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { include include - network inet stream, - network inet6 stream, - @{exec_path} mr, /etc/pacman.conf r, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 6c3a80cf7..86b063f9b 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -13,8 +13,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/lib/udev/.#hwdb.bin[0-9a-zA-Z]* w, - /usr/lib/udev/hwdb.bin w, + /{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w, + /{usr/,}lib/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index acbb572e4..b4c252ecb 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,15 +19,14 @@ profile systemd-rfkill @{exec_path} { @{exec_path} mr, - /dev/rfkill rw, - - @{sys}/devices/**/rfkill[0-9]*/{uevent,name} r, - /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{sys}/devices/**/rfkill[0-9]*/{uevent,name} r, + + /dev/rfkill rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index f8663cb31..df4dd41ce 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,6 +21,11 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + dbus bind bus=system name=org.freedesktop.timesync1, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 54adc87e8..4fdd42e05 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,15 +37,17 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/perl rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/chgrp rix, /{usr/,}bin/chmod rix, - /{usr/,}bin/setfacl rix, + /{usr/,}bin/ln rix, /{usr/,}bin/logger rix, /{usr/,}bin/nohup rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ln rix, + /{usr/,}bin/perl rix, /{usr/,}bin/readlink rix, + /{usr/,}bin/setfacl rix, + /{usr/,}bin/unshare rix, + /{usr/,}bin/snap rPx, /{usr/,}{s,}bin/* rPUx, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 7f6de8b2e..149bbbd24 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,12 +13,14 @@ profile blkdeactivate @{exec_path} flags=(complain) { include @{exec_path} rm, - /{usr/,}{s,}bin/dmsetup rPUx, - /{usr/,}bin/grep rix, - /{usr/,}bin/lsblk rPx, - /{usr/,}{s,}bin/lvm rPx, - /{usr/,}bin/sort rix, - /{usr/,}bin/umount rPx, + + /{usr/,}{s,}bin/multipathd rPx, + /{usr/,}{s,}bin/dmsetup rPUx, + /{usr/,}{s,}bin/lvm rPx, + /{usr/,}bin/grep rix, + /{usr/,}bin/lsblk rPx, + /{usr/,}bin/sort rix, + /{usr/,}bin/umount rPx, @{sys}/devices/virtual/block/*/holders/ r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 0d507eccc..7e9cd9e18 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -19,6 +19,9 @@ profile flatpak-system-helper @{exec_path} { capability setgid, capability setuid, capability sys_nice, + capability sys_ptrace, + + ptrace (read), @{exec_path} mr, @@ -40,6 +43,7 @@ profile flatpak-system-helper @{exec_path} { owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/profiles-a-f/losetup b/apparmor.d/profiles-a-f/losetup index 41a5958e5..b1f8a162e 100644 --- a/apparmor.d/profiles-a-f/losetup +++ b/apparmor.d/profiles-a-f/losetup @@ -17,6 +17,7 @@ profile losetup @{exec_path} { @{exec_path} mr, + @{sys}/devices/**/usb[0-9]/{,**} r, @{sys}/devices/system/cpu/possible r, /dev/loop-control rw, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index c2b04c096..764778e18 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -27,8 +27,8 @@ profile mandb @{exec_path} flags=(complain) { /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, - /usr/{,/share}/man/{,**} r, - /usr/local/{,/share/}/man/{,**} r, + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r, diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index 862f6f03a..c0a59bcf1 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -28,8 +28,8 @@ profile mtools @{exec_path} { owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, - owner /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, + /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index 5a8ab571c..cd4cf7f10 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,12 +14,15 @@ profile pacmd @{exec_path} { include #capability sys_ptrace, + ptrace peer=pulseaudio, ptrace (read) peer=pipewire, signal (send) peer=pulseaudio, - /{usr/,}bin/pacmd mr, + @{exec_path} mr, + + /app/lib/libzypak*.so* mr, owner @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 075381592..c1f552af4 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,16 +10,18 @@ include @{exec_path} = /{usr/,}bin/pactl profile pactl @{exec_path} { include - include include + include @{exec_path} mr, - owner @{HOME}/.Xauthority r, + /app/lib/libzypak*.so* mr, /var/lib/dbus/machine-id r, /etc/machine-id r, + owner @{HOME}/.Xauthority r, + owner @{user_config_dirs}/pulse/ rw, # file_inherit diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index c02d9d370..76b653e50 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -11,6 +11,12 @@ profile pass-import @{exec_path} { include include include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index de6c971e7..e0654836c 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,7 +15,8 @@ profile run-parts @{exec_path} { @{exec_path} mr, - /usr/share/update-notifier/notify-reboot-required rPx, + /usr/share/update-notifier/notify-reboot-required rPx, + /usr/share/update-notifier/notify-updates-outdated rPx, # Crontrab /etc/cron.{hourly,daily,weekly,monthly}/ r, @@ -133,6 +134,7 @@ profile run-parts @{exec_path} { /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot rPx, /{usr/,}lib/update-notifier/update-motd-reboot-required rix, /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, / r, /etc/default/motd-news r, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index 659d63ee5..a8b7a7bea 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -36,6 +36,7 @@ profile steam-gameoverlayui @{exec_path} { owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw, owner @{user_share_dirs}/Steam/public/* rk, owner @{user_share_dirs}/Steam/resource/{,**} rk, + owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rw, owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,