diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index d4b7e7916..5ddcf7132 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -10,6 +10,7 @@ /dev/bus/usb/[0-9]*/[0-9]* rw, @{sys}/class/ r, + @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, @@ -21,3 +22,4 @@ @{run}/udev/data/+usb:* r, @{run}/udev/data/c16[6,7]* r, @{run}/udev/data/c18[0,8,9]* r, + @{run}/udev/data/c8[0-9]:[0-9]* r, diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index bc642d18c..eff81bf2f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -15,6 +15,9 @@ @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, + # SSD Nvme devices + @{sys}/devices/pci[0-9]*/**/nvme/nvme[0-9]*/{,**} r, + # SD card devices /dev/mmcblk[0-9]* rk, /dev/mmcblk[0-9]*p[0-9]* rk, @@ -68,6 +71,7 @@ @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b259:[0-9]* r, @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 301fea3a0..3c09fbeec 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -15,6 +15,10 @@ @{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, + # SSD Nvme devices + /dev/nvme[0-9]* rwk, + @{sys}/devices/pci[0-9]*/**/nvme/nvme[0-9]*/{,**} r, + # SD card devices /dev/mmcblk[0-9]* rwk, /dev/mmcblk[0-9]*p[0-9]* rwk, @@ -68,6 +72,7 @@ @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices + @{run}/udev/data/b259:[0-9]* r, @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* diff --git a/apparmor.d/abstractions/gtk b/apparmor.d/abstractions/gtk index d2936046d..334c95cd4 100644 --- a/apparmor.d/abstractions/gtk +++ b/apparmor.d/abstractions/gtk @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -29,6 +30,7 @@ owner @{user_config_dirs}/gtk-3.0/settings.ini r, owner @{user_config_dirs}/gtk-3.0/bookmarks r, owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, # for gtk file dialog owner @{user_config_dirs}/gtk-2.0/ rw, diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 759081eea..773e71fcf 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -19,6 +19,7 @@ profile child-systemctl { include capability sys_ptrace, + capability net_admin, ptrace (read), diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 87b8003de..2444d93ba 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,7 +18,11 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + network inet dgram, + network netlink raw, + @{exec_path} mr, + /{usr/,}lib/systemd/system-environment-generators/* rix, /{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager, @@ -35,6 +40,7 @@ profile systemd-analyze @{exec_path} { @{sys}/fs/cgroup/{,**} r, @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, + @{sys}/fs/cgroup/unified/**/init.scope/ rw, @{sys}/firmware/acpi/tables/FPDT r, @{sys}/module/**/uevent r, @@ -50,6 +56,13 @@ profile systemd-analyze @{exec_path} { /usr/ r, /etc/default/locale r, + /etc/locale.conf r, + + @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + /dev/tty rw, + /dev/pts/1 rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index ef7522c7c..563166aaa 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,6 +22,9 @@ profile systemd-hostnamed @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/uevent r, + + @{run}/udev/data/+dmi:id r, /etc/hostname rw, /etc/.#hostname* rw, diff --git a/apparmor.d/groups/systemd/systemd-journalctl b/apparmor.d/groups/systemd/systemd-journalctl index bf00c1731..a6d734e9e 100644 --- a/apparmor.d/groups/systemd/systemd-journalctl +++ b/apparmor.d/groups/systemd/systemd-journalctl @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,6 +14,8 @@ profile systemd-journalctl @{exec_path} { include capability sys_resource, + capability dac_read_search, + capability dac_override, signal (send) peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 1e25846a5..8692a99e5 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,6 +16,7 @@ profile systemd-journald @{exec_path} { capability syslog, capability sys_ptrace, capability dac_read_search, + capability kill, @{exec_path} mr, @@ -33,6 +35,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c10:224 r, # for /dev/tpm0 + @{run}/udev/data/c243:0 r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+pci:* r, @{run}/udev/data/+hid:* r, @@ -42,6 +45,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+platform:regulatory.[0-9]* r, @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r, + @{run}/udev/data/+platform:iTCO_wdt r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index b99256a13..47f745f38 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,7 +22,12 @@ profile systemd-localed @{exec_path} { /etc/default/locale rw, /etc/default/.#locale* rw, + /etc/locale.conf r, + /etc/vconsole.conf r, /usr/share/systemd/language-fallback-map r, + /usr/share/X11/xkb/rules/evdev r, + + /etc/X11/xorg.conf.d/*.conf r, } diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 0ca37ce20..a3cbc4e16 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,8 +12,7 @@ profile systemd-rfkill @{exec_path} { include include - # Needed? - audit deny capability net_admin, + capability net_admin, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 7b8ee2322..be5f1835c 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,6 +13,9 @@ profile systemd-timesyncd @{exec_path} { include include + network inet dgram, + network inet6 dgram, + capability sys_time, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-l/child-pager b/apparmor.d/profiles-a-l/child-pager index 589f3b758..2c4bc6bcd 100644 --- a/apparmor.d/profiles-a-l/child-pager +++ b/apparmor.d/profiles-a-l/child-pager @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is @@ -24,7 +25,11 @@ profile child-pager { /{usr/,}bin/less mr, /{usr/,}bin/more mr, - owner @{HOME}/.lesshs* rw, + owner @{user_cache_dirs}/lesshs* rw, + owner /root/.lesshs* rw, + + # Display properly on different host terminals + @{system_share_dirs}/terminfo/{,**} r, # For shell pwd /root/ r, diff --git a/apparmor.d/profiles-a-l/dmesg b/apparmor.d/profiles-a-l/dmesg index 232b92a6c..290eb948d 100644 --- a/apparmor.d/profiles-a-l/dmesg +++ b/apparmor.d/profiles-a-l/dmesg @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,12 +10,18 @@ include @{exec_path} = /{usr/,}bin/dmesg profile dmesg @{exec_path} { include + include capability syslog, + capability dac_read_search, @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/less rPx -> child-pager, + /dev/kmsg r, + /usr/share/terminfo/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-l/hostname b/apparmor.d/profiles-a-l/hostname index ea38d5c35..2ce28d156 100644 --- a/apparmor.d/profiles-a-l/hostname +++ b/apparmor.d/profiles-a-l/hostname @@ -14,6 +14,8 @@ profile hostname @{exec_path} { capability sys_admin, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-a-l/lspci b/apparmor.d/profiles-a-l/lspci index e5b94540e..4a7e537d3 100644 --- a/apparmor.d/profiles-a-l/lspci +++ b/apparmor.d/profiles-a-l/lspci @@ -20,6 +20,7 @@ profile lspci @{exec_path} { @{sys}/bus/pci/slots/ r, @{sys}/devices/pci[0-9]*/** r, + /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, diff --git a/apparmor.d/profiles-m-z/mount b/apparmor.d/profiles-m-z/mount index b7cb693a9..d0b541e10 100644 --- a/apparmor.d/profiles-m-z/mount +++ b/apparmor.d/profiles-m-z/mount @@ -21,6 +21,8 @@ profile mount @{exec_path} flags=(complain) { capability setgid, capability setuid, + capability dac_read_search, + mount, network inet stream, diff --git a/apparmor.d/profiles-m-z/ntfs-3g b/apparmor.d/profiles-m-z/ntfs-3g index e49903f24..b5e18d5a5 100644 --- a/apparmor.d/profiles-m-z/ntfs-3g +++ b/apparmor.d/profiles-m-z/ntfs-3g @@ -18,6 +18,9 @@ profile ntfs-3g @{exec_path} { capability setgid, capability setuid, capability sys_admin, + capability dac_read_search, + capability dac_override, + capability mknod, @{exec_path} mr, @@ -40,6 +43,12 @@ profile ntfs-3g @{exec_path} { mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/, mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/*/, + # Allow to mount encrypted partition + mount fstype=fuseblk /dev/dm-[0-9]* -> /media/*/, + mount fstype=fuseblk /dev/dm-[0-9]* -> /media/*/*/, + mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/, + mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/, + # kmod is used to load the fuse kernel module /{usr/,}bin/kmod rPx, diff --git a/apparmor.d/profiles-m-z/passwd b/apparmor.d/profiles-m-z/passwd index 9e56f1876..4199ccfbc 100644 --- a/apparmor.d/profiles-m-z/passwd +++ b/apparmor.d/profiles-m-z/passwd @@ -23,8 +23,7 @@ profile passwd @{exec_path} { capability chown, capability fsetid, - # passwd is a SETUID binary, but it looks like it doesn't want this CAP. - #capability setuid, + capability setuid, network netlink raw, @@ -33,6 +32,10 @@ profile passwd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, /etc/shadow rw, + /etc/shadow.[0-9]* rw, + /etc/shadow.lock rwl, + /etc/shadow- rw, + /etc/shadow+ rw, /etc/nshadow rw, # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to diff --git a/apparmor.d/profiles-m-z/pinentry-gtk-2 b/apparmor.d/profiles-m-z/pinentry-gtk-2 index bb27f5707..2877fcb9a 100644 --- a/apparmor.d/profiles-m-z/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-z/pinentry-gtk-2 @@ -16,5 +16,9 @@ profile pinentry-gtk-2 @{exec_path} { @{exec_path} mr, + /usr/share/gtk-2.0/gtkrc r, + + owner @{run}/user/@{pid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + include if exists } diff --git a/apparmor.d/profiles-m-z/pkexec b/apparmor.d/profiles-m-z/pkexec index 26a9a953e..f98a9672a 100644 --- a/apparmor.d/profiles-m-z/pkexec +++ b/apparmor.d/profiles-m-z/pkexec @@ -18,6 +18,7 @@ profile pkexec @{exec_path} flags=(complain) { capability sys_ptrace, capability audit_write, + capability dac_read_search, # gdbus capability setgid, @@ -36,6 +37,7 @@ profile pkexec @{exec_path} flags=(complain) { /etc/shells r, /etc/environment r, /etc/default/locale r, + /etc/security/limits.d/{,*} r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-z/polkit-agent-helper b/apparmor.d/profiles-m-z/polkit-agent-helper index 1a9e32494..fc60d626b 100644 --- a/apparmor.d/profiles-m-z/polkit-agent-helper +++ b/apparmor.d/profiles-m-z/polkit-agent-helper @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -24,6 +25,8 @@ profile polkit-agent-helper @{exec_path} { # Needed? deny capability sys_nice, + capability dac_override, + capability net_admin, network netlink raw, @@ -33,5 +36,7 @@ profile polkit-agent-helper @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + @{run}/faillock/[a-zA-z0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-m-z/pulseaudio b/apparmor.d/profiles-m-z/pulseaudio index ae804fc2a..2aad22244 100644 --- a/apparmor.d/profiles-m-z/pulseaudio +++ b/apparmor.d/profiles-m-z/pulseaudio @@ -28,6 +28,7 @@ profile pulseaudio @{exec_path} { @{exec_path} mrix, /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, + /{usr/,}lib/pulse/gsettings-helper mrix, # PulseAudio files /usr/share/pulseaudio/** r, @@ -35,10 +36,15 @@ profile pulseaudio @{exec_path} { # PulseAudio home config files owner @{user_config_dirs}/pulse/{,**} rw, + owner @{user_config_dirs}/dconf/user r, # Needed when PulseAudio is started via the start-pulseaudio-x11 script owner @{HOME}/.Xauthority r, + # Needed when PulseAudio is started via gdm + owner @{run}/user/[0-9]*/gdm/Xauthority r, + owner @{HOME}/.ICEauthority r, + # TCP wrap /etc/hosts.{allow,deny} r, @@ -46,6 +52,7 @@ profile pulseaudio @{exec_path} { owner @{run}/user/[0-9]*/pulse/{,*} rw, /usr/share/applications/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, @{sys}/bus/ r, @{sys}/class/ r, @@ -60,6 +67,9 @@ profile pulseaudio @{exec_path} { @{run}/systemd/users/[0-9]* r, + @{run}/user/1000/dconf/user rw, + @{run}/user/1000/ICEauthority r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-z/sensors b/apparmor.d/profiles-m-z/sensors index 73dda5d30..02882a777 100644 --- a/apparmor.d/profiles-m-z/sensors +++ b/apparmor.d/profiles-m-z/sensors @@ -24,6 +24,7 @@ profile sensors @{exec_path} { @{sys}/devices/virtual/hwmon/hwmon[0-9]* r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r, + @{sys}/devices/virtual/hwmon/hwmon[0-9]*/fan[0-9]_label r, @{sys}/devices/**/hwmon*/{,**/} r, @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, diff --git a/apparmor.d/profiles-m-z/umount b/apparmor.d/profiles-m-z/umount index c6f712fc2..0e445268c 100644 --- a/apparmor.d/profiles-m-z/umount +++ b/apparmor.d/profiles-m-z/umount @@ -20,6 +20,9 @@ profile umount @{exec_path} flags=(complain) { capability setuid, capability setgid, + capability dac_read_search, + capability chown, + umount, network inet stream, diff --git a/apparmor.d/profiles-m-z/usbguard b/apparmor.d/profiles-m-z/usbguard index 8d53b319a..50828eec3 100644 --- a/apparmor.d/profiles-m-z/usbguard +++ b/apparmor.d/profiles-m-z/usbguard @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,7 +11,11 @@ include profile usbguard @{exec_path} { include include - include + include + + capability chown, + capability fowner, + capability dac_override, # Needed to create policy (usbguard generate-policy) network netlink dgram, diff --git a/apparmor.d/profiles-m-z/usbguard-daemon b/apparmor.d/profiles-m-z/usbguard-daemon index 2d184b3dd..2fa0c34e6 100644 --- a/apparmor.d/profiles-m-z/usbguard-daemon +++ b/apparmor.d/profiles-m-z/usbguard-daemon @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,9 +13,9 @@ profile usbguard-daemon @{exec_path} { include include - # Needed? (##FIXME##) - #capability chown, - #capability fowner, + capability chown, + capability fowner, + capability dac_override, network netlink dgram, diff --git a/apparmor.d/profiles-m-z/wpa-supplicant b/apparmor.d/profiles-m-z/wpa-supplicant index 0a27d270c..54f72c2f9 100644 --- a/apparmor.d/profiles-m-z/wpa-supplicant +++ b/apparmor.d/profiles-m-z/wpa-supplicant @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,15 +34,15 @@ profile wpa-supplicant @{exec_path} { @{exec_path} mr, - owner @{run}/wpa_supplicant/ rw, - owner @{run}/wpa_supplicant/wlan* rw, - owner @{run}/wpa_supplicant.wlan*.pid rw, + owner @{run}/wpa_supplicant/{,**} rw, /etc/wpa_supplicant/wpa_supplicant.conf r, + /etc/libnl/{classid,pktloc} r, /dev/rfkill r, @{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw, + @{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw, @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,