diff --git a/PKGBUILD b/PKGBUILD index 829e3e64d..407ff648d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -9,7 +9,7 @@ arch=("x86_64") url="https://github.com/roddhjav/$pkgname" license=('GPL2') depends=('apparmor') -makedepends=('go' 'git') +makedepends=('go' 'git' 'rsync' 'lsb-release') pkgver() { cd "$srcdir/$pkgname" diff --git a/apparmor.d/abstractions/file-browsing-strict b/apparmor.d/abstractions/file-browsing-strict deleted file mode 100644 index 277ca8917..000000000 --- a/apparmor.d/abstractions/file-browsing-strict +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - deny @{PROC}/@{pid}/mountinfo r, - deny @{PROC}/@{pid}/mounts r, - - # Usually, apps shouldn't view this file - deny /etc/fstab r, - - deny /dev/disk/*/ r, - - include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc deleted file mode 100644 index f925ac27c..000000000 --- a/apparmor.d/abstractions/libvirt-lxc +++ /dev/null @@ -1,124 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - - # Allow receiving signals from libvirtd - signal (receive) peer=libvirtd, - - umount, - - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - - # allow tmpfs mounts everywhere - mount fstype=tmpfs, - - # allow mqueue mounts everywhere - mount fstype=mqueue, - - # allow fuse mounts everywhere - mount fstype=fuse.*, - - # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, - deny @{PROC}/sys/fs/** wklx, - - # allow efivars to be mounted, writing to it will be blocked though - mount fstype=efivarfs -> /sys/firmware/efi/efivars/, - - # block some other dangerous paths - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, - deny @{PROC}/kmem rwklx, - - # deny writes in /sys except for /sys/fs/cgroup, also allow - # fusectl, securityfs and debugfs to be mounted there (read-only) - mount fstype=fusectl -> /sys/fs/fuse/connections/, - mount fstype=securityfs -> /sys/kernel/security/, - mount fstype=debugfs -> /sys/kernel/debug/, - mount fstype=proc -> /proc/, - mount fstype=sysfs -> /sys/, - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, - - # generated by: lxc-generate-aa-rules.py container-rules.base - deny /proc/sys/[^kn]*{,/**} wklx, - deny /proc/sys/k[^e]*{,/**} wklx, - deny /proc/sys/ke[^r]*{,/**} wklx, - deny /proc/sys/ker[^n]*{,/**} wklx, - deny /proc/sys/kern[^e]*{,/**} wklx, - deny /proc/sys/kerne[^l]*{,/**} wklx, - deny /proc/sys/kernel/[^smhd]*{,/**} wklx, - deny /proc/sys/kernel/d[^o]*{,/**} wklx, - deny /proc/sys/kernel/do[^m]*{,/**} wklx, - deny /proc/sys/kernel/dom[^a]*{,/**} wklx, - deny /proc/sys/kernel/doma[^i]*{,/**} wklx, - deny /proc/sys/kernel/domai[^n]*{,/**} wklx, - deny /proc/sys/kernel/domain[^n]*{,/**} wklx, - deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, - deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, - deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/domainname?*{,/**} wklx, - deny /proc/sys/kernel/h[^o]*{,/**} wklx, - deny /proc/sys/kernel/ho[^s]*{,/**} wklx, - deny /proc/sys/kernel/hos[^t]*{,/**} wklx, - deny /proc/sys/kernel/host[^n]*{,/**} wklx, - deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, - deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, - deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/hostname?*{,/**} wklx, - deny /proc/sys/kernel/m[^s]*{,/**} wklx, - deny /proc/sys/kernel/ms[^g]*{,/**} wklx, - deny /proc/sys/kernel/msg*/** wklx, - deny /proc/sys/kernel/s[^he]*{,/**} wklx, - deny /proc/sys/kernel/se[^m]*{,/**} wklx, - deny /proc/sys/kernel/sem*/** wklx, - deny /proc/sys/kernel/sh[^m]*{,/**} wklx, - deny /proc/sys/kernel/shm*/** wklx, - deny /proc/sys/kernel?*{,/**} wklx, - deny /proc/sys/n[^e]*{,/**} wklx, - deny /proc/sys/ne[^t]*{,/**} wklx, - deny /proc/sys/net?*{,/**} wklx, - deny /sys/[^fdc]*{,/**} wklx, - deny /sys/c[^l]*{,/**} wklx, - deny /sys/cl[^a]*{,/**} wklx, - deny /sys/cla[^s]*{,/**} wklx, - deny /sys/clas[^s]*{,/**} wklx, - deny /sys/class/[^n]*{,/**} wklx, - deny /sys/class/n[^e]*{,/**} wklx, - deny /sys/class/ne[^t]*{,/**} wklx, - deny /sys/class/net?*{,/**} wklx, - deny /sys/class?*{,/**} wklx, - deny /sys/d[^e]*{,/**} wklx, - deny /sys/de[^v]*{,/**} wklx, - deny /sys/dev[^i]*{,/**} wklx, - deny /sys/devi[^c]*{,/**} wklx, - deny /sys/devic[^e]*{,/**} wklx, - deny /sys/device[^s]*{,/**} wklx, - deny /sys/devices/[^v]*{,/**} wklx, - deny /sys/devices/v[^i]*{,/**} wklx, - deny /sys/devices/vi[^r]*{,/**} wklx, - deny /sys/devices/vir[^t]*{,/**} wklx, - deny /sys/devices/virt[^u]*{,/**} wklx, - deny /sys/devices/virtu[^a]*{,/**} wklx, - deny /sys/devices/virtua[^l]*{,/**} wklx, - deny /sys/devices/virtual/[^n]*{,/**} wklx, - deny /sys/devices/virtual/n[^e]*{,/**} wklx, - deny /sys/devices/virtual/ne[^t]*{,/**} wklx, - deny /sys/devices/virtual/net?*{,/**} wklx, - deny /sys/devices/virtual?*{,/**} wklx, - deny /sys/devices?*{,/**} wklx, - deny /sys/f[^s]*{,/**} wklx, - deny /sys/fs/[^c]*{,/**} wklx, - deny /sys/fs/c[^g]*{,/**} wklx, - deny /sys/fs/cg[^r]*{,/**} wklx, - deny /sys/fs/cgr[^o]*{,/**} wklx, - deny /sys/fs/cgro[^u]*{,/**} wklx, - deny /sys/fs/cgrou[^p]*{,/**} wklx, - deny /sys/fs/cgroup?*{,/**} wklx, - deny /sys/fs?*{,/**} wklx, - - include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu deleted file mode 100644 index 26acd6056..000000000 --- a/apparmor.d/abstractions/libvirt-qemu +++ /dev/null @@ -1,258 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021-2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - include - include - - # required for reading disk images - capability dac_override, - capability dac_read_search, - capability chown, - - # needed to drop privileges - capability setgid, - capability setuid, - - network inet stream, - network inet6 stream, - - ptrace (readby, tracedby) peer=libvirtd, - ptrace (readby, tracedby) peer=virtqemud, - - signal (receive) peer=libvirtd, - signal (receive) peer=virtqemud, - - /dev/kvm rw, - /dev/net/tun rw, - /dev/ptmx rw, - @{PROC}/*/status r, - # When qemu is signaled to terminate, it will read cmdline of signaling - # process for reporting purposes. Allowing read access to a process - # cmdline may leak sensitive information embedded in the cmdline. - @{PROC}/@{pid}/cmdline r, - # Per man(5) proc, the kernel enforces that a thread may - # only modify its comm value or those in its thread group. - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - @{PROC}/sys/kernel/cap_last_cap r, - @{PROC}/sys/vm/overcommit_memory r, - # detect hardware capabilities via qemu_getauxval - owner @{PROC}/*/auxv r, - # allow reading libnl's classid file - /etc/libnl{,-3}/classid r, - - # For hostdev access. The actual devices will be added dynamically - /sys/bus/usb/devices/ r, - /sys/devices/**/usb[0-9]*/** r, - # libusb needs udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb* r, - @{run}/udev/data/c16[6,7]* r, - @{run}/udev/data/c18[0,8,9]* r, - - # WARNING: this gives the guest direct access to host hardware and specific - # portions of shared memory. This is required for sound using ALSA with kvm, - # but may constitute a security risk. If your environment does not require - # the use of sound in your VMs, feel free to comment out or prepend 'deny' to - # the rules for files in /dev. - /dev/snd/* rw, - /{dev,run}/shm r, - /{dev,run}/shmpulse-shm* r, - /{dev,run}/shmpulse-shm* rwk, - capability ipc_lock, - # spice - owner /{dev,run}/shm/spice.* rw, - # 'kill' is not required for sound and is a security risk. Do not enable - # unless you absolutely need it. - deny capability kill, - - # Uncomment the following if you need access to /dev/fb* - #/dev/fb* rw, - - /etc/pulse/client.conf r, - @{HOME}/.pulse-cookie rwk, - owner /root/.pulse-cookie rwk, - owner /root/.pulse/ rw, - owner /root/.pulse/* rw, - /usr/share/alsa/** r, - owner /tmp/pulse-*/ rw, - owner /tmp/pulse-*/* rw, - /var/lib/dbus/machine-id r, - - # access to firmware's etc - /usr/share/AAVMF/** r, - /usr/share/bochs/** r, - /usr/share/edk2-ovmf/** rk, - /usr/share/kvm/** r, - /usr/share/misc/sgabios.bin r, - /usr/share/openbios/** r, - /usr/share/openhackware/** r, - /usr/share/OVMF/** rk, - /usr/share/ovmf/** rk, - /usr/share/proll/** r, - /usr/share/qemu-efi/** r, - /usr/share/qemu-kvm/** r, - /usr/share/qemu/** r, - /usr/share/seabios/** r, - /usr/share/sgabios/** r, - /usr/share/slof/** r, - /usr/share/vgabios/** r, - - # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) - /etc/pki/CA/ r, - /etc/pki/CA/* r, - /etc/pki/libvirt{,-spice,-vnc}/ r, - /etc/pki/libvirt{,-spice,-vnc}/** r, - /etc/pki/qemu/ r, - /etc/pki/qemu/** r, - - # the various binaries - /usr/bin/kvm rmix, - /usr/bin/kvm-spice rmix, - /usr/bin/qemu rmix, - /usr/bin/qemu-aarch64 rmix, - /usr/bin/qemu-alpha rmix, - /usr/bin/qemu-arm rmix, - /usr/bin/qemu-armeb rmix, - /usr/bin/qemu-cris rmix, - /usr/bin/qemu-i386 rmix, - /usr/bin/qemu-kvm rmix, - /usr/bin/qemu-m68k rmix, - /usr/bin/qemu-microblaze rmix, - /usr/bin/qemu-microblazeel rmix, - /usr/bin/qemu-mips rmix, - /usr/bin/qemu-mips64 rmix, - /usr/bin/qemu-mips64el rmix, - /usr/bin/qemu-mipsel rmix, - /usr/bin/qemu-mipsn32 rmix, - /usr/bin/qemu-mipsn32el rmix, - /usr/bin/qemu-or32 rmix, - /usr/bin/qemu-ppc rmix, - /usr/bin/qemu-ppc64 rmix, - /usr/bin/qemu-ppc64abi32 rmix, - /usr/bin/qemu-ppc64le rmix, - /usr/bin/qemu-s390x rmix, - /usr/bin/qemu-sh4 rmix, - /usr/bin/qemu-sh4eb rmix, - /usr/bin/qemu-sparc rmix, - /usr/bin/qemu-sparc32plus rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-system-aarch64 rmix, - /usr/bin/qemu-system-alpha rmix, - /usr/bin/qemu-system-arm rmix, - /usr/bin/qemu-system-cris rmix, - /usr/bin/qemu-system-hppa rmix, - /usr/bin/qemu-system-i386 rmix, - /usr/bin/qemu-system-lm32 rmix, - /usr/bin/qemu-system-m68k rmix, - /usr/bin/qemu-system-microblaze rmix, - /usr/bin/qemu-system-microblazeel rmix, - /usr/bin/qemu-system-mips rmix, - /usr/bin/qemu-system-mips64 rmix, - /usr/bin/qemu-system-mips64el rmix, - /usr/bin/qemu-system-mipsel rmix, - /usr/bin/qemu-system-moxie rmix, - /usr/bin/qemu-system-nios2 rmix, - /usr/bin/qemu-system-or1k rmix, - /usr/bin/qemu-system-or32 rmix, - /usr/bin/qemu-system-ppc rmix, - /usr/bin/qemu-system-ppc64 rmix, - /usr/bin/qemu-system-ppcemb rmix, - /usr/bin/qemu-system-riscv32 rmix, - /usr/bin/qemu-system-riscv64 rmix, - /usr/bin/qemu-system-s390x rmix, - /usr/bin/qemu-system-sh4 rmix, - /usr/bin/qemu-system-sh4eb rmix, - /usr/bin/qemu-system-sparc rmix, - /usr/bin/qemu-system-sparc64 rmix, - /usr/bin/qemu-system-tricore rmix, - /usr/bin/qemu-system-unicore32 rmix, - /usr/bin/qemu-system-x86_64 rmix, - /usr/bin/qemu-system-xtensa rmix, - /usr/bin/qemu-system-xtensaeb rmix, - /usr/bin/qemu-unicore32 rmix, - /usr/bin/qemu-x86_64 rmix, - # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) - /usr/{lib,lib64}/qemu/*.so mr, - /usr/lib/@{multiarch}/qemu/*.so mr, - - # let qemu load old shared objects after upgrades (LP: #1847361) - /{var/,}run/qemu/*/*.so mr, - # but explicitly deny writing to these files - audit deny /{var/,}run/qemu/*/*.so w, - - # swtpm - /{usr/,}bin/swtpm rmix, - /usr/{lib,lib64}/libswtpm_libtpms.so mr, - /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, - - # for save and resume - /{usr/,}bin/dash rmix, - /{usr/,}bin/dd rmix, - /{usr/,}bin/cat rmix, - - # for restore - /{usr/,}bin/bash rmix, - - # for usb access - /dev/bus/usb/ r, - /etc/udev/udev.conf r, - /sys/bus/ r, - /sys/class/ r, - - # for rbd - /etc/ceph/*.conf r, - - # Various functions will need to enumerate /tmp (e.g. ceph), allow the base - # dir and a few known functions like samba support. - # We want to avoid to give blanket rw permission to everything under /tmp, - # users are expected to add site specific addons for more uncommon cases. - # Qemu processes usually all run as the same users, so the "owner" - # restriction prevents access to other services files, but not across - # different instances. - # This is a tradeoff between usability and security - if paths would be more - # predictable that would be preferred - at least for write rules we would - # want more unique paths per rule. - /{,var/}tmp/ r, - owner /{,var/}tmp/**/ r, - - # for file-posix getting limits since 9103f1ce - /sys/devices/**/block/*/queue/max_segments r, - - # for ppc device-tree access - @{PROC}/device-tree/ r, - @{PROC}/device-tree/** r, - /sys/firmware/devicetree/** r, - - # allow connect with openGraphicsFD to work - unix (send, receive) type=stream addr=none peer=(label=libvirtd), - unix (send, receive) type=stream addr=none peer=(label=virtqemud), - - # for gathering information about available host resources - /sys/devices/system/cpu/ r, - /sys/devices/system/node/ r, - /sys/devices/system/node/node[0-9]*/meminfo r, - /sys/module/vhost/parameters/max_mem_regions r, - - # silence refusals to open lttng files (see LP: #1432644) - deny /dev/shm/lttng-ust-wait-* r, - deny @{run}/shm/lttng-ust-wait-* r, - - # for vfio hotplug on systems without static vfio (LP: #1775777) - /dev/vfio/vfio rw, - - # required for sasl GSSAPI plugin - /etc/gss/mech.d/ r, - /etc/gss/mech.d/* r, - - # required by libpmem init to fts_open()/fts_read() the symlinks in - # /sys/bus/nd/devices - / r, # harmless on any lsb compliant system - /sys/bus/nd/devices/{,**/} r, - - # required for QEMU accessing UEFI nvram variables - owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, - owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, - - include if exists diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 4bef4f556..3307131da 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -7,8 +7,8 @@ /var/lib/gdm/.cache/mesa_shader_cache/ rw, /var/lib/gdm/.cache/mesa_shader_cache/index rw, /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, - /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, - /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, + /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, @{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/pci[0-9]*/**/config r, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index d63dd0c5d..b4f34d775 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -6,7 +6,7 @@ owner @{HOME}/.cache/qtshadercache/ rw, owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, - owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache/@{hex} rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw, owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash.d/complete similarity index 100% rename from apparmor.d/abstractions/trash rename to apparmor.d/abstractions/trash.d/complete diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index cea565a1c..2733f1ec3 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -129,7 +129,7 @@ profile atom @{exec_path} { # The irq file is needed to render pages. deny @{sys}/devices/pci[0-9]*/**/irq r, - owner /tmp/atom-[0-9a-f]*.sock rw, + owner /tmp/atom-@{hex}.sock rw, owner "/tmp/Atom Crashes/" rw, owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw, owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index 087672091..f851720ec 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -91,9 +91,9 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index af1b4d05f..a7ba9cb87 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -109,8 +109,8 @@ profile code @{exec_path} { owner "/tmp/VSCode Crashes/" rw, owner /tmp/vscode-typescript[0-9]*/ rw, - owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw, - owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw, + owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, + owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw, owner /tmp/vscode-ipc-@{uuid}.sock rw, # For installing extensions diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index 99ba7358b..3c125dd3d 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -54,7 +54,7 @@ profile flameshot @{exec_path} { owner /tmp/.*/{,s} rw, owner /tmp/*= rw, - owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw, + owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, deny owner @{PROC}/@{pid}/cmdline r, deny @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/apps/geany b/apparmor.d/groups/apps/geany index 1378c03ba..4fec00d46 100644 --- a/apparmor.d/groups/apps/geany +++ b/apparmor.d/groups/apps/geany @@ -51,7 +51,7 @@ profile geany @{exec_path} { owner @{user_config_dirs}/geany/{,**} rw, - owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw, + owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw, # To read/write files in the system. The read permission is granted for all files, the write # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in @@ -110,7 +110,7 @@ profile geany @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular index 96abdb7e0..f65c6f561 100644 --- a/apparmor.d/groups/apps/okular +++ b/apparmor.d/groups/apps/okular @@ -85,7 +85,7 @@ profile okular @{exec_path} { # Print to pdf /{usr/,}bin/ps2pdf rPUx, - owner /tmp/[0-9a-f]* rw, + owner /tmp/@{hex} rw, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9], diff --git a/apparmor.d/groups/apps/spotify b/apparmor.d/groups/apps/spotify index 7ddec0ec2..1259e0f53 100644 --- a/apparmor.d/groups/apps/spotify +++ b/apparmor.d/groups/apps/spotify @@ -67,7 +67,7 @@ profile spotify @{exec_path} { /usr/share/X11/XErrorDB r, - owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + owner /tmp/@{hex}-@{hex}-@{hex}-@{hex} rw, # What's this for? #owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 00fa0bcdd..d20ff1181 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -59,8 +59,8 @@ profile telegram-desktop @{exec_path} { # Autostart owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - owner /tmp/[0-9a-f]*-* rwk, - owner @{run}/user/@{uid}/[0-9a-f]*-* rwk, + owner /tmp/@{hex}-* rwk, + owner @{run}/user/@{uid}/@{hex}-* rwk, /dev/shm/#[0-9]*[0-9] rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 867c76795..7fc6a53a7 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix (receive, send) type=stream peer=(label=apt-esm-json-hook), - dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*} + dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}} interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, dbus send bus=system path=/org/freedesktop/PackageKit diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 42e204136..57d7e1b08 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -170,7 +170,7 @@ profile synaptic @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7765ad89c..f2421d3af 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -200,7 +200,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1359d53f2..683f27a9b 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -39,8 +39,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw, owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw, @@ -53,7 +53,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/@{hex}.{dmp,extra} rw, owner /tmp/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 497c22fef..77963126a 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -22,14 +22,14 @@ profile firefox-minidump-analyzer @{exec_path} { owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw, owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r, - owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/@{hex}.{dmp,extra} rw, owner /tmp/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index 2c02babd7..504f9bea4 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -19,9 +19,10 @@ profile dbus-daemon-launch-helper @{exec_path} { @{exec_path} mr, /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx, + /{usr/,}lib/cups-pk-helper-mechanism rPx, /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx, /{usr/,}lib/software-properties/software-properties-dbus rPx, - + /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 9e3ebd25c..1ee1bdb07 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -24,10 +24,10 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /etc/dconf/db/ibus r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, + /var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9]* r, /var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.cache/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index eacefcd16..f03a11dc4 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -19,8 +19,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, + /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + /var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9] r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 29c689e90..74283f55f 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} { /etc/machine-id r, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 2438a72a3..c3d8437de 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -26,7 +26,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, + /var/lib/gdm/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, /dev/null rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ee1c9726d..b9e927d20 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -23,10 +23,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth index 674732276..059df5a33 100644 --- a/apparmor.d/groups/freedesktop/plymouth +++ b/apparmor.d/groups/freedesktop/plymouth @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/plymouth profile plymouth @{exec_path} { include + include unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"), diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 2518c5794..f4cbcc34e 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -34,105 +34,78 @@ profile pulseaudio @{exec_path} { network bluetooth stream, network bluetooth seqpacket, - dbus (send) - bus=session - path=/Client0/EntryGroup[0-9]* - interface=org.freedesktop.Avahi.EntryGroup - member={GetState,AddService,AddServiceSubtype,Commit} - peer=(name=org.freedesktop.Avahi), + dbus send bus=session path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member={GetState,AddService,AddServiceSubtype,Commit} + peer=(name=org.freedesktop.Avahi), - dbus (receive) - bus=session - path=/Client0/EntryGroup[0-9]* - interface=org.freedesktop.Avahi.EntryGroup - member=StateChanged - peer=(name=org.freedesktop.Avahi), + dbus receive bus=session path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member=StateChanged + peer=(name=org.freedesktop.Avahi), - dbus (send) - bus=session - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), - dbus (receive) - bus=session - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,RequestName,ReleaseName} - peer=(name=:*), + dbus receive bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName,ReleaseName} + peer=(name=:*), - dbus (receive) - bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect, - dbus (bind) - bus=session - name=org.freedesktop.ReserveDevice[0-9].Audio[0-9], + dbus bind bus=session + name=org.freedesktop.ReserveDevice[0-9].Audio[0-9], - dbus (bind) - bus=session - name=org.PulseAudio[0-9], + dbus bind bus=session + name=org.PulseAudio[0-9], - dbus (bind) - bus=session - name=org.pulseaudio*, + dbus bind bus=session + name=org.pulseaudio*, - dbus (send) - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch} - peer=(name=org.freedesktop.DBus), + dbus send bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch} + peer=(name=org.freedesktop.DBus), - dbus (send) - bus=system - path=/org/freedesktop/RealtimeKit[0-9] - member={Get,MakeThreadHighPriority,MakeThreadRealtime} - peer=(name=org.freedesktop.RealtimeKit[0-9]), + dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] + member={Get,MakeThreadHighPriority,MakeThreadRealtime} + peer=(name=org.freedesktop.RealtimeKit[0-9]), - dbus (send) - bus=system - path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=org.bluez), + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.bluez), - dbus (send) - bus=system - path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi), + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), - dbus (send) - bus=system - path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,EntryGroupNew} - peer=(name=org.freedesktop.Avahi), + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,EntryGroupNew} + peer=(name=org.freedesktop.Avahi), - dbus (receive) - bus=system - path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=org.freedesktop.Avahi), + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=org.freedesktop.Avahi), - dbus (send) - bus=system - path=/ - interface=org.freedesktop.hostname[0-9] - member=Get - peer=(name=/org/freedesktop/hostname[0-9]), + dbus send bus=system path=/ + interface=org.freedesktop.hostname[0-9] + member=Get + peer=(name=/org/freedesktop/hostname[0-9]), - dbus (send) - bus=system - path=/org.freedesktop.hostname[0-9] - interface=org.freedesktop.DBus.Prope - member=Get - peer=(name=/org/freedesktop/hostname[0-9]), + dbus send bus=system path=/org.freedesktop.hostname[0-9] + interface=org.freedesktop.DBus.Prope + member=Get + peer=(name=/org/freedesktop/hostname[0-9]), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 2b00fa8e8..f4a74d09d 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/update-mime-database profile update-mime-database @{exec_path} { include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index bbc1eee60..139a09699 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -69,7 +69,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-daemon rPx, @{HOME}/.Xauthority r, - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, } diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index d6ddceae4..9d96d6b07 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -61,7 +61,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-daemon rPx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index c2ea3fc3c..1ee885928 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -64,7 +64,7 @@ profile xdg-settings @{exec_path} { /{usr/,}bin/dbus-daemon rPx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index ef99ad71f..1d4ac9913 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -31,6 +31,12 @@ profile evolution-calendar-factory @{exec_path} { interface=org.freedesktop.NetworkManager member={CheckPermissions,StateChanged}, + dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**} + interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*}, + + dbus bind bus=session + name=org.gnome.evolution.dataserver.Calendar[0-9], + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 6362ac80b..ad23994fc 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -49,6 +49,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.login[0-9].Manager member={SessionNew,PrepareForShutdown,SessionRemoved}, + dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**} + interface={org.freedesktop.DBus.{Properties,Introspectable},org.gnome.SessionManager}, + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + peer=(name=:org.freedesktop.systemd1), + + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core + interface=org.gnome.Mutter.IdleMonitor + member=AddIdleWatch + peer=(name=:*), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name=:*), + @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, @@ -57,6 +74,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/mkdir rix, /{usr/,}bin/touch rix, /{usr/,}bin/gsettings rix, + /{usr/,}bin/gsettings-data-convert rix, /{usr/,}bin/session-migration rix, /{usr/,}bin/xdg-user-dirs-gtk-update rix, @{libexec}/gnome-session-check-accelerated rix, @@ -124,22 +142,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/session_migration-ubuntu r, - owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, - owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, - owner @{run}/user/@{uid}/systemd/notify w, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, + owner @{run}/user/@{uid}/systemd/notify w, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{sys}/devices/**/{vendor,device} r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid r, /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3a8d278b6..1ff379b48 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -150,13 +150,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, - /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, /var/lib/gdm{3,}/.config/pulse/ r, /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rwk, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index c4614b70d..9167de2fc 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -11,6 +11,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, @@ -25,8 +26,26 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { dbus bind bus=system name=com.redhat.PrinterDriversInstaller, + dbus (send,receive) bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + peer=(name=:*), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*), + @{exec_path} mr, + owner /tmp/[a-z0-9]* rw, + + owner @{PROC}/@{pid}/cgroup r, + owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index ce6051e18..4102052d6 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -41,7 +41,7 @@ profile tracker-miner @{exec_path} { /var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk, /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 4bf35cbd5..31a90ffc9 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -25,53 +25,53 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{user_projects_dirs}/**/{.,}gnupg/ rw, owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, - owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, - owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw, owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, - owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw, owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, owner /tmp/tmp.*/gnupg/ rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, owner /tmp/tmp.*/gnupg/sshcontrol r, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index fc3b7da55..81b02003c 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -21,9 +21,9 @@ profile gpg-connect-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw, + owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, include if exists } diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index cce44eee5..0ca97d327 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -46,6 +46,7 @@ profile mullvad-gui @{exec_path} { /var/lib/dbus/machine-id r, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, + owner @{user_share_dirs}/gvfs-metadata/* r, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index ed8fe89c6..be5b456ee 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -18,6 +18,8 @@ profile networkd-dispatcher @{exec_path} { /{usr/,}bin/ r, /{usr/,}bin/networkctl rPx, + /etc/networkd-dispatcher/{,**} r, + @{run}/systemd/notify rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/groups/pacman/aurpublish similarity index 100% rename from apparmor.d/profiles-a-f/aurpublish rename to apparmor.d/groups/pacman/aurpublish diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index f754f9fa2..ff1aa886a 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -24,11 +24,11 @@ profile bootctl @{exec_path} { /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, + /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, + /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw, + /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, /{boot,efi}/loader/.#entries.srel* w, /{boot,efi}/loader/{,**} r, /{boot,efi}/loader/entries.srel w, @@ -47,7 +47,7 @@ profile bootctl @{exec_path} { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 7fadbcf75..5bf16d3b7 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -26,13 +26,13 @@ profile coredumpctl @{exec_path} flags=(complain) { owner /var/tmp/coredump-* rw, - /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r, + /var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex}/system.journal* r, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, owner @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 1768c1afe..a8527160b 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -34,12 +34,12 @@ profile journalctl @{exec_path} { /var/lib/systemd/catalog/.#database* rw, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, - owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/system.journal* r, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*, + owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw, owner /var/tmp/#[0-9]* rw, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 40fcb4c8f..7006a77f5 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) { # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex}/system.journal* r, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, @{run}/systemd/netif/links/[0-9]* r, @{run}/systemd/netif/state r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index b37d8f5d9..811559924 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -26,11 +26,10 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/* r, - /{usr/,}sbin/* r, @{libexec}/** r, - /opt/** r, / r, + /{usr/,}{s,}bin/* r, + /opt/** r, /etc/systemd/coredump.conf r, @@ -38,15 +37,15 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/coredump/#[0-9]* rwl, owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*, - owner @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/limits r, - @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/[0-9]* r, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/setgroups r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 4a3f945fc..d282b0a80 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -26,8 +26,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { peer=(name=org.freedesktop.PolicyKit1), dbus receive bus=system path=/org/freedesktop/hostname[0-9] - interface=org.freedesktop.DBus.Properties - member={Get,GetAll,SetHostname}, + interface=org.freedesktop.{DBus.Properties,hostname1} + member={Get,GetAll,SetHostname} + peer=(name=:*), dbus bind bus=system name=org.freedesktop.hostname[0-9], diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 26efae512..71d8cb14b 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -30,11 +30,11 @@ profile systemd-journald @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/[0-9a-f]*/ rw, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/fss rw, + /{run,var}/log/journal/@{hex}/ rw, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/system.journal* rw, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/fss rw, owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 4b9646942..d97be763e 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -39,6 +39,11 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.DBus.Properties member=Get, + dbus send bus=system path=/org/freedesktop/network[0-9]/link/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus), + dbus bind bus=system name=org.freedesktop.network1, @@ -55,6 +60,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, + @{run}/systemd/notify rw, owner @{run}/systemd/netif/.#state rw, owner @{run}/systemd/netif/.#state* rw, owner @{run}/systemd/netif/leases/.#* rw, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 7dd0eb071..f8663cb31 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { include + include include include @@ -20,6 +21,9 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus bind bus=system + name=org.freedesktop.timesync1, + @{exec_path} mr, /etc/adjtime r, @@ -34,19 +38,5 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify rw, - # dbus-stricter - @{run}/dbus/system_bus_socket rw, - - dbus send - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,RequestName} - peer=(name=org.freedesktop.DBus), - - dbus bind - bus=system - name=org.freedesktop.timesync1, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 8a443243b..5339e99fd 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -14,7 +14,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { /{usr/,}{s,}bin/dumpe2fs rPx, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,}awk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/cat rix, /{usr/,}bin/cut rix, /{usr/,}bin/date rix, @@ -37,6 +37,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{sys}/devices/virtual/block/**/ r, @{sys}/devices/virtual/block/**/autoclear r, @{sys}/devices/virtual/block/**/backing_file r, + @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index bfdcd25e0..971dda22b 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -31,12 +31,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/, mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, mount -> /tmp/ctd-volume[0-9]*/, mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, - umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/, umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, umount /tmp/ctd-volume[0-9]*/, umount @{run}/netns/cni-@{uuid}, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 757786889..3fbe0542a 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -22,8 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=containerd, ptrace (read) peer=unconfined, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, + mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, @@ -34,12 +34,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { /tmp/pty[0-9]*/pty.sock rw, @{run}/containerd/{,containerd.sock.ttrpc} rw, - @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw, - @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw, - @{run}/containerd/s/{,[0-9a-f]*} rw, + @{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/[0-9]*/@{hex}-{stdin,stdout,stderr} rw, + @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/@{hex}/{,*} rw, + @{run}/containerd/s/{,@{hex}} rw, - @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw, - @{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/@{hex}/@{hex}-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/@{hex}/init-{stdin,stdout,stderr} rw, @{run}/docker/containerd/daemon/io.containerd.*/{,**} rw, @{run}/secrets/kubernetes.io/serviceaccount/*/token w, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 1a5e667e3..097aa2ec9 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -61,7 +61,7 @@ profile k3s @{exec_path} { /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft, @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, - /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, + /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r, /usr/share/mime/globs2 r, @@ -145,7 +145,7 @@ profile k3s @{exec_path} { @{sys}/devices/virtual/block/*/** r, @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r, + @{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r, @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, @{sys}/fs/cgroup/{,*,*/} r, diff --git a/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc b/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc deleted file mode 100644 index e43636474..000000000 --- a/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is for the container whose UUID matches this file. - -abi , - -include - -profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { - include - include - - # Globally allows everything to run under this profile - # These can be narrowed depending on the container's use. - file, - capability, - network, -} diff --git a/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu b/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu deleted file mode 100644 index 79f9f8ced..000000000 --- a/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is for the VM whose UUID matches this file. - -abi , - -include - -profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { - include - include - include - include -} diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper new file mode 100644 index 000000000..43c8199f4 --- /dev/null +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -0,0 +1,68 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) Libvirt Team +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/libvirt/virt-aa-helper +profile virt-aa-helper @{exec_path} { + include + include + + capability dac_override, + capability dac_read_search, + + network inet, + network inet6, + + @{exec_path} mr, + + /{usr/,}{s,}bin/apparmor_parser rPx, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-@{uuid} rw, + + /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file + + # System VM images + /var/lib/libvirt/images/{,**} r, + /var/lib/nova/instances/_base/* r, + + # User VM images + @{user_share_dirs}/ r, + @{user_share_dirs}/libvirt/{,**} r, + @{user_vm_dirs}/{,**} r, + + # For virt-sandbox + @{run}/libvirt/**/[sv]d[a-z] r, + + @{sys}/bus/usb/devices/ r, + @{sys}/devices/ r, + @{sys}/devices/** r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/psched r, + @{PROC}/filesystems r, + deny @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/status r, + + # For gl enabled graphics + /dev/dri/{,*} r, + + # For hostdev + deny /dev/dasd* r, + deny /dev/dm-* r, + deny /dev/drbd[0-9]* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, + deny /dev/nvme* r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/zd[0-9]* r, + + include if exists + include if exists +} diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 103c4ed96..1f8b7f015 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -29,9 +29,9 @@ profile aa-log @{exec_path} { /etc/machine-id r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r, - /{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r, + /{run,var}/log/journal/@{hex}/user-@{uid}.journal r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/cap_last_cap r, diff --git a/apparmor.d/profiles-a-f/anki b/apparmor.d/profiles-a-f/anki index ad78d0a0b..43497f364 100644 --- a/apparmor.d/profiles-a-f/anki +++ b/apparmor.d/profiles-a-f/anki @@ -55,9 +55,9 @@ profile anki @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], /usr/share/anki/{,**} r, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index df4b007b6..ab8f5d95c 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -43,8 +43,8 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**, owner /tmp/claws-mail-[0-9]*/ rw, - owner /tmp/claws-mail-[0-9]*/[0-9a-f]* rw, - owner /tmp/claws-mail-[0-9]*/[0-9a-f]*.lock rwk, + owner /tmp/claws-mail-[0-9]*/@{hex} rw, + owner /tmp/claws-mail-[0-9]*/@{hex}.lock rwk, owner /var/mail/* rwk, diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh new file mode 100644 index 000000000..676bbcb13 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/beh +profile cups-backend-beh @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf new file mode 100644 index 000000000..24211196d --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/cups-brf +profile cups-backend-brf @{exec_path} { + include + + capability setuid, + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd new file mode 100644 index 000000000..cfc987c51 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/dnssd +profile cups-backend-dnssd @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass new file mode 100644 index 000000000..4311b10b1 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/implicitclass +profile cups-backend-implicitclass @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp new file mode 100644 index 000000000..ddf6834bf --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/ipp +profile cups-backend-ipp @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd new file mode 100644 index 000000000..eec56070e --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/lpd +profile cups-backend-lpd @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel new file mode 100644 index 000000000..b0318f02e --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/parallel +profile cups-backend-parallel @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf new file mode 100644 index 000000000..fa5863459 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf +profile cups-backend-pdf @{exec_path} { + include + include + include + include + + capability chown, + capability setgid, + capability setuid, + capability dac_override, + + unix peer=(label=cupsd), + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/gs rix, + /{usr/,}bin/gsc rix, + /{usr/,}lib/ghostscript/** mr, + + /usr/share/ghostscript/{,**} r, + + /etc/papersize r, + /etc/cups/ r, + /etc/cups/cups-pdf.conf r, + /etc/cups/ppd/*.ppd r, + + /var/log/cups/cups-pdf*_log w, + /var/spool/cups-pdf/{,**} rw, + /var/spool/cups/** r, + /var/tmp/gs_* rw, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial new file mode 100644 index 000000000..33264531a --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/serial +profile cups-backend-serial @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp new file mode 100644 index 000000000..40f2e03ec --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/snmp +profile cups-backend-snmp @{exec_path} { + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /etc/cups/snmp.conf r, + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket new file mode 100644 index 000000000..8c66d634f --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/socket +profile cups-backend-socket @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb new file mode 100644 index 000000000..e6c568008 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/usb +profile cups-backend-usb @{exec_path} { + include + include + + network netlink raw, + + @{exec_path} mr, + + /usr/share/cups/usb/{,**} r, + + /etc/cups/ppd/*.ppd r, + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed new file mode 100644 index 000000000..2dbef344e --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -0,0 +1,69 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/cups-browsed +profile cups-browsed @{exec_path} { + include + include + include + include + include + + capability net_bind_service, + capability sys_nice, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi), + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={AllForNow,CacheExhausted}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.{DBus.Properties,NetworkManager} + member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded}, + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged, + + @{exec_path} mr, + + /usr/share/cups/locale/{,**} r, + /usr/share/locale/{,**} r, + + /etc/cups/{,**} r, + + /var/cache/cups/{,**} rw, + /var/log/cups/{,**} rw, + + @{run}/cups/certs/* r, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism new file mode 100644 index 000000000..ef7ce21f1 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups-pk-helper-mechanism +@{exec_path} += /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism +@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism +profile cups-pk-helper-mechanism @{exec_path} { + include + include + include + + capability dac_read_search, + capability sys_nice, + + dbus receive bus=system path=/ + interface=org.opensuse.CupsPkHelper.Mechanism, + + dbus bind bus=system + name=org.opensuse.CupsPkHelper.Mechanism, + + @{exec_path} mr, + + /etc/cups/ppd/*.ppd r, + + owner /tmp/[a-z0-9]* rw, + + @{run}/cups/cups.sock rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd new file mode 100644 index 000000000..6ccb2338f --- /dev/null +++ b/apparmor.d/profiles-a-f/cupsd @@ -0,0 +1,90 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +include + +@{exec_path} = /{usr/,}{s,}bin/cupsd +profile cupsd @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability net_admin, + capability net_bind_service, + capability setgid, + capability setuid, + capability wake_alarm, + + network inet stream, + network inet6 stream, + + network appletalk dgram, + network ash dgram, + network ax25 dgram, + network bluetooth, + network econet dgram, + network ipx dgram, + network netrom seqpacket, + network rose dgram, + network x25 seqpacket, + + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*} + interface=org.freedesktop.ColorManager{,.*} + member={CreateProfile,CreateDevice,FindDeviceById,AddProfile} + peer=(name=org.freedesktop.ColorManager), + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gsc rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/ippfind rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/smbspool rPx, + /{usr/,}bin/xz rix, + /{usr/,}lib/cups/backend/* rPx, + /{usr/,}lib/cups/cgi-bin/*.cgi rix, + /{usr/,}lib/cups/daemon/* rix, + /{usr/,}lib/cups/driver/* rix, + /{usr/,}lib/cups/filter/* rix, + /{usr/,}lib/cups/monitor/* rix, + /{usr/,}lib/cups/notifier/* rix, + + /usr/share/cups/{,**} r, + /usr/share/ppd/{,**} r, + /usr/share/ghostscript/{,**} r, + + /etc/cups/{,**} rw, + /etc/foomatic/* r, + /etc/papersize r, + /etc/pnm2ppa.conf r, + /etc/printcap rwl, + + /var/cache/cups/ rw, + /var/cache/cups/** rwk, + /var/log/cups/{,*} rw, + /var/spool/cups/{,**} rw, + + @{run}/cups/{,**} rw, + @{run}/systemd/notify w, + + @{sys}/module/apparmor/parameters/enabled r, + + @{PROC}/@{pids}/fd r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index e63a799ab..a0771b1ee 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -49,10 +49,10 @@ profile deltachat-desktop @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner /tmp/[0-9a-f]*/ rw, - owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw, - owner /tmp/[0-9a-f]*/db.sqlite rwk, - owner /tmp/[0-9a-f]*/db.sqlite-journal rw, + owner /tmp/@{hex}/ rw, + owner /tmp/@{hex}/db.sqlite-blobs/ rw, + owner /tmp/@{hex}/db.sqlite rwk, + owner /tmp/@{hex}/db.sqlite-journal rw, @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 2c889eccd..2984b0e58 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -14,88 +14,60 @@ profile dhclient-script @{exec_path} { include include + capability net_admin, capability sys_admin, - - # Needed? - audit deny capability sys_module, + audit capability sys_module, @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh mrix, + /{usr/,}{s,}bin/ddclient rPx, + /{usr/,}{s,}bin/sysctl rix, + /{usr/,}bin/{,ba,da}sh mrix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/chronyc rPUx, + /{usr/,}bin/date rix, + /{usr/,}bin/fold rix, + /{usr/,}bin/head rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/paste rix, + /{usr/,}bin/ping rPx, + /{usr/,}bin/printenv rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/sed rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/xxd rix, + /{usr/,}sbin/resolvconf rPx, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/ping rPx, - /{usr/,}bin/chronyc rPUx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}sbin/resolvconf rPx, - - # To remove the following error: - # /sbin/dhclient-script: 133: hostname: Permission denied - /{usr/,}bin/hostname rix, - - # To read scripts - /etc/dhcp/ r, - /etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r, - - # For debug script - /{usr/,}bin/date rix, - /etc/dhcp/debug r, - owner /tmp/dhclient-script.debug rw, - - # For ddclient script - /{usr/,}{s,}bin/ddclient rPx, - /etc/default/ddclient r, - /{usr/,}bin/logger rix, - - # For samba script - /{usr/,}bin/mv rix, - /etc/samba/dhcp.conf{,.new} rw, - # For netbios name servers settings from a DHCP server - /var/lib/samba/dhcp.conf{,.new} rw, - - # Many scripts may use the ip tool - capability net_admin, - /{usr/,}bin/ip rix, - - # For loadbalance + /etc/default/ddclient r, + /etc/dhcp/{,**} r, + /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - owner @{PROC}/@{pid}/loginuid r, - - # For updating the /etc/resolv.conf file - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/sed rix, - /etc/fstab r, - /etc/resolv.conf.dhclient-new.@{pid} rw, /etc/resolv.conf rw, + /etc/resolv.conf.dhclient-new.@{pid} rw, + /etc/samba/dhcp.conf{,.new} rw, - # For stable-privacy addresses - /{usr/,}{s,}bin/sysctl rix, - /{usr/,}bin/head rix, - /{usr/,}bin/xxd rix, - /{usr/,}bin/paste rix, - /{usr/,}bin/fold rix, - /{usr/,}bin/tr rix, - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + /var/lib/dhcp/dhclient.leases r, + /var/lib/samba/dhcp.conf{,.new} rw, - # For printing env - /{usr/,}bin/printenv rix, + owner /tmp/dhclient-script.debug rw, owner /tmp/variables.txt w, - # For ntpd/ntpsec + @{run}/chrony-dhcp/ rw, @{run}/systemd/netif/leases/ r, - # For chrony - @{run}/chrony-dhcp/ rw, - - # file_inherit - /var/lib/dhcp/dhclient.leases r, - @{sys}/devices/virtual/dmi/id/board_vendor r, + owner @{PROC}/@{pid}/loginuid r, + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + profile run-parts { include diff --git a/apparmor.d/profiles-a-f/losetup b/apparmor.d/profiles-a-f/losetup new file mode 100644 index 000000000..41a5958e5 --- /dev/null +++ b/apparmor.d/profiles-a-f/losetup @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/losetup +profile losetup @{exec_path} { + include + + capability dac_override, + capability dac_read_search, + + unix (receive) type=stream, + + @{exec_path} mr, + + @{sys}/devices/system/cpu/possible r, + + /dev/loop-control rw, + /dev/loop[0-9]* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index ac9ffba17..f361e8df4 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -11,9 +11,9 @@ include @{exec_path} += /{usr/,}bin/git-* @{exec_path} += /{usr/,}lib/git-core/git @{exec_path} += /{usr/,}lib/git-core/git-* -@{exec_path} += /usr/libexec/git-core/git -@{exec_path} += /usr/libexec/git-core/git-* -@{exec_path} += /usr/libexec/git-core/mergetools/* +@{exec_path} += @{libexec}/git-core/git +@{exec_path} += @{libexec}/git-core/git-* +@{exec_path} += @{libexec}/git-core/mergetools/* profile git @{exec_path} { include include @@ -167,8 +167,9 @@ profile git @{exec_path} { /etc/vimrc r, /etc/vim/{,**} r, - owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, + owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/.git/[0-9]* rw, + owner @{user_projects_dirs}/**/.git/*MSG rw, owner @{HOME}/.fzf/plugin/ r, owner @{HOME}/.fzf/plugin/fzf.vim r, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index a8008aff1..aad4a3c0b 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -40,7 +40,7 @@ profile gpo @{exec_path} { /etc/inputrc r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index ccfad1668..6a8a65ee4 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -46,7 +46,7 @@ profile gpodder @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, /etc/mime.types r, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 8adee824a..cdb3c20ca 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -76,7 +76,7 @@ profile gsmartcontrol @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index d4f74177b..71dc7ece9 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -132,10 +132,10 @@ profile hw-probe @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/[0-9a-f]*/ rw, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + /{run,var}/log/journal/@{hex}/ rw, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/system.journal* rw, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index 06eb5fee9..cafeb2dab 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -51,7 +51,7 @@ profile jdownloader @{exec_path} { owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw, owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, - owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw, + owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw, owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw, owner @{HOME}/.java/fonts/[0-9]*/ rw, diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install index 9bf9a3b2e..f714676d0 100644 --- a/apparmor.d/profiles-g-l/jdownloader-install +++ b/apparmor.d/profiles-g-l/jdownloader-install @@ -48,7 +48,7 @@ profile jdownloader-install @{exec_path} { owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/*.so mrw, owner @{JD_SH_PATH}/install4jError[0-9]*.log rw, - owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw, + owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw, owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw, owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw, diff --git a/apparmor.d/profiles-g-l/kscreenlocker-greet b/apparmor.d/profiles-g-l/kscreenlocker-greet index f3195cdf8..39d5df212 100644 --- a/apparmor.d/profiles-g-l/kscreenlocker-greet +++ b/apparmor.d/profiles-g-l/kscreenlocker-greet @@ -43,9 +43,9 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_cache_dirs}/plasma-svgelements-default_v* r, diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index e9ba32da7..507e9c9f4 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -103,7 +103,7 @@ profile linssid @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index 3c03b63fd..1f8dd52e4 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -59,7 +59,7 @@ profile lxappearance @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 5701e0c93..22bee6fb4 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -60,9 +60,9 @@ profile minitube @{exec_path} { owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 48d55c090..b5ef4cf29 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -80,7 +80,7 @@ profile mkvtoolnix-gui @{exec_path} { owner @{user_cache_dirs}/bunkus.org/ rw, owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/ rw, owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw, - owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/[0-9a-f]* rw, + owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw, owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 02f53ffae..0fe5da82d 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -38,6 +38,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/needrestart/iucode-scan-versions rPx, /usr/share/debconf/frontend rix, + /{usr/,}bin/networkd-dispatcher r, /{usr/,}bin/gettext.sh r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, @@ -47,15 +48,18 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /etc/needrestart/*.d/* rix, /etc/shadow r, + /boot/ r, + /boot/vmlinuz* r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 8072c7993..976e6b7e0 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -10,6 +10,7 @@ include profile needrestart-apt-pinvoke @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 05a758b92..f20a8e3d8 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -35,7 +35,7 @@ profile openbox @{exec_path} { owner @{user_config_dirs}/openbox/ r, owner @{user_config_dirs}/openbox/* r, - owner @{user_config_dirs}/obmenu-generator/icons/[0-9a-f]*.png r, + owner @{user_config_dirs}/obmenu-generator/icons/@{hex}.png r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/openbox/ rw, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 372c5f83a..f074e1b11 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -82,7 +82,7 @@ profile psi @{exec_path} { /etc/fstab r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9], diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 6834f1976..1d6bb1e62 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -82,7 +82,7 @@ profile psi-plus @{exec_path} { /etc/fstab r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9], diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 21309be91..1d39cc94e 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -235,7 +235,7 @@ profile qbittorrent @{exec_path} { # file_inherit owner @{MOUNTS}/torrent/** r, - owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw, + owner @{MOUNTS}/torrent/**.@{hex}.parts rw, owner "@{MOUNTS}/torrent/**.!qB" rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 4bb66130e..cf2b3acfa 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -109,7 +109,7 @@ profile qnapi @{exec_path} { owner /tmp/#[0-9]*[0-9] rw, owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw, owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/[0-9a-f]*.@{qnapi_txt_ext} rw, + owner /tmp/@{hex}.@{qnapi_txt_ext} rw, owner /tmp/*.@{qnapi_txt_ext} rw, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 451ae1976..951a3db5e 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -75,7 +75,7 @@ profile qpdfview @{exec_path} { /usr/share/hwdata/pnp.ids r, # Print - owner /tmp/[0-9a-f]* rw, + owner /tmp/@{hex} rw, # Save as owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 34323ba8f..5d6548632 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -60,7 +60,7 @@ profile qtox @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw, + owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, @{sys}/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so @{sys}/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index fe08acabe..417d6ecc9 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -58,9 +58,9 @@ profile rpi-imager @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 78f2424e2..6b055f718 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -29,7 +29,7 @@ profile scrcpy @{exec_path} { /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sddm b/apparmor.d/profiles-s-z/sddm index 6a6005671..1f2055896 100644 --- a/apparmor.d/profiles-s-z/sddm +++ b/apparmor.d/profiles-s-z/sddm @@ -193,10 +193,10 @@ profile sddm @{exec_path} { owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n, + owner @{run}/sddm/\{@{uuid}\}-c w, + owner @{run}/sddm/\{@{uuid}\}-l wl -> @{run}/sddm/\{@{uuid}\}-c, + owner @{run}/sddm/\{@{uuid}\}-n rw, + owner @{run}/sddm/\{@{uuid}\} rwl -> @{run}/sddm/\{@{uuid}\}-n, } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 524c33381..42bb30791 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -86,7 +86,7 @@ profile steam @{exec_path} { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{amd64,i386}/usr/bin/* rix, - @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so* mr, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**.so* mr, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix, @@ -131,7 +131,7 @@ profile steam @{exec_path} { owner /dev/shm/#[0-9]* rw, owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, @@ -140,6 +140,7 @@ profile steam @{exec_path} { owner /tmp/sh-thd.* rw, owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, owner /tmp/miles_image_* mrw, + owner /tmp/runtime-info.txt.* rw, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, @@ -147,7 +148,7 @@ profile steam @{exec_path} { @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c241:[0-9]* r, + @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/n[0-9]* r, @{sys}/ r, @@ -167,6 +168,9 @@ profile steam @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r, @{sys}/devices/system/cpu/** r, @{sys}/devices/system/node/ r, + @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r, + @{sys}/devices/virtual/dmi/id/product_{name,version} r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/ r, @{sys}/devices/virtual/tty/tty[0-9]/active r, @{sys}/kernel/ r, @@ -176,6 +180,7 @@ profile steam @{exec_path} { @{PROC}/@{pids}/comm rk, @{PROC}/@{pids}/net/route r, @{PROC}/@{pids}/stat r, + @{PROC}/1/cgroup r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/unprivileged_userns_clone r, @@ -193,7 +198,9 @@ profile steam @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/status r, /dev/input/ r, + /dev/input/event[0-9]* r, /dev/tty rw, + /dev/uinput w, audit deny /**.steam_exec_test.sh rw, diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize index 452f29a1c..8b3236796 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -21,7 +21,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pipe r, - owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/fozpipelinesv[0-9]*/{,*} rw, + owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/fozpipelinesv[0-9]*/{,**} rw, owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/mesa_shader_cache_sf/{,**} rwk, owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw, owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 65b78b491..e5885ce26 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -162,7 +162,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /dev/shm/#[0-9]* rw, owner /dev/shm/mono.* rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/wine-*-fsync rw, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index c59845280..affe238d1 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -41,7 +41,7 @@ profile steam-gameoverlayui @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper index 2d2f71709..30953a570 100644 --- a/apparmor.d/profiles-s-z/steam-reaper +++ b/apparmor.d/profiles-s-z/steam-reaper @@ -17,6 +17,7 @@ profile steam-reaper @{exec_path} { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*.so* mr, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so* mr, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rpx -> steam-game, @{user_share_dirs}/Steam/steamapps/common/*/* rpx -> steam-game, @@ -25,7 +26,7 @@ profile steam-reaper @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, include if exists diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 9d04457b4..a00d4bfc8 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -89,7 +89,7 @@ profile strawberry @{exec_path} { owner /tmp/#[0-9]*[0-9] rw, owner /tmp/*= w, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index eff48ef02..b2c3960f2 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -28,7 +28,7 @@ profile tint2 @{exec_path} { # Tint2 cache files owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/tint2/ rw, - owner @{user_cache_dirs}/tint2/[0-9a-f]*.png w, + owner @{user_cache_dirs}/tint2/@{hex}.png w, owner @{user_cache_dirs}/tint2/icon.cache rwk, # Launcher config files diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index ada94a64d..e5716a992 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -28,7 +28,7 @@ profile tint2conf @{exec_path} { owner @{user_config_dirs}/tint2/ r, owner @{user_config_dirs}/tint2/* rw, - owner @{user_cache_dirs}/tint2/[0-9a-f]*.png r, + owner @{user_cache_dirs}/tint2/@{hex}.png r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 65764fb03..161876a4b 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -40,7 +40,7 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, /etc/ssl/certs/*.pem rw, - /etc/ssl/certs/[0-9a-f]*.[0-9] rw, + /etc/ssl/certs/@{hex}.[0-9] rw, /{usr/,}lib/locale/locale-archive r, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 377581d29..659a5833e 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -88,9 +88,9 @@ profile vidcutter @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, @@ -107,7 +107,7 @@ profile vidcutter @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, - owner /tmp/vidcutter-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]* w, + owner /tmp/vidcutter-@{uuid} w, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9], owner /tmp/vidcutter/{,*} rw, diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis index 86a2075a0..d55a83c0e 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,31 +14,29 @@ profile whereis @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}{local/,}{s,}bin/ r, - /{usr/,}lib/go-*/bin/ r, + /{usr/,}{local/,}{s,}bin/{,*/} r, /{usr/,}{local/,}games/ r, + /{usr/,}lib/go-*/bin/ r, - /etc/ r, - + @{libexec}/ r, /{usr/,}lib{,32,64}/ r, - /usr/local/{,etc/,lib/} r, + /usr/{local/,}{,etc/,lib/} r, /usr/include/ r, /usr/share/ r, /usr/share/info/{**,} r, /usr/share/man/{**,} r, /usr/src/{**,} r, - @{libexec}/ r, - /opt/ r, /opt/cni/bin/ r, /opt/containerd/bin/ r, /snap/bin/ r, + /var/lib/flatpak/exports/bin/ r, - owner @{HOME}/{.local/,}/{.,}bin/ r, owner @{HOME}/.krew/bin/ r, - owner @{HOME}/go/bin/ r, + owner @{HOME}/{.,}go/bin/ r, + owner @{HOME}/{.local/,}{.,}bin/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a8b69fd90..c88f709d0 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,6 +14,8 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, + /etc/newt/palette.ubuntu r, + owner /tmp/gpm* w, include if exists diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index 5f4c09cfd..dcb7759d1 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -7,10 +7,10 @@ # All apparmor profiles should always use the variables defined here. # Universally unique identifier -@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* +@{uuid}=[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]* # Hexadecimal -@{hex}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f] +@{hex}=[0-9a-fA-F]* # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 0825db141..a5efad206 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -2,3 +2,7 @@ # SPDX-License-Identifier: GPL-2.0-only /etc/apparmor.d/usr.bin.man +/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper +/etc/apparmor.d/usr.sbin.cups-browsed +/etc/apparmor.d/usr.sbin.cupsd +/etc/apparmor.d/usr.sbin.libvirtd diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 88f0c6c1e..804f7d4ab 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -21,6 +21,21 @@ cockpit-ssh complain cockpit-tls complain cockpit-ws complain cockpit-wsinstance-factory complain +cups-backend-beh complain +cups-backend-brf complain +cups-backend-dnssd complain +cups-backend-implicitclass complain +cups-backend-ipp complain +cups-backend-lpd complain +cups-backend-parallel complain +cups-backend-pdf complain +cups-backend-serial complain +cups-backend-snmp complain +cups-backend-socket complain +cups-backend-usb complain +cups-browsed complain +cups-pk-helper-mechanism complain +cupsd attach_disconnected,complain dkms attach_disconnected,complain downloadhelper complain e2fsck complain