diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 762882b74..3aa47de3c 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -11,13 +11,9 @@ include profile polkit-mate-authentication-agent @{exec_path} { include include - include - include + include include - include - include - include - include + include include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -26,19 +22,15 @@ profile polkit-mate-authentication-agent @{exec_path} { @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /usr/share/X11/xkb/** r, - /var/lib/dbus/machine-id r, /etc/machine-id r, - owner @{HOME}/.Xauthority r, - - owner /dev/tty@{int} rw, - @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index dea66efb8..51d9fdddb 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -23,7 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime - member=MakeThreadRealtimeWithPID + member=MakeThread* peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 702b0088d..5d908e67b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -78,8 +78,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{,3}/greeter-dconf-defaults r, - owner @{user_config_dirs}/xdg-desktop-portal/* r, @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/xdg-desktop-portal/* r, owner @{tmp}/icon* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland index 73e8e734a..05c12eaf3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 odomingao +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -26,10 +27,10 @@ profile xdg-desktop-portal-hyprland @{exec_path} { owner /tmp/hypr/\#@{int} rwkl, owner /tmp/hypr/hyprland-share-picker.conf* rwkl, - /sys/devices/virtual/dmi/id/bios_vendor r, - /sys/devices/virtual/dmi/id/board_vendor r, - /sys/devices/virtual/dmi/id/product_name r, - /sys/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index d97327969..3d240828b 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -27,54 +27,56 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/*.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{user_projects_dirs}/**/{.,}gnupg/ rw, owner @{user_projects_dirs}/**/{.,}gnupg/*.conf r, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/*.conf r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/*.conf r, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, #aa:only pacman owner /etc/pacman.d/gnupg/ rw, owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw, owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /etc/pacman.d/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /etc/pacman.d/gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/.gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, #aa:only zypper diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 8c8a1c069..477354574 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f8612b4dc..7f9b5adf6 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -43,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved @@ -61,11 +62,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member=GetManagedObjects peer=(name=:*, label=bluetoothd), - dbus send bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,removeInterface} - peer=(name=org.freedesktop.DBus, label=firewalld), - dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded @@ -134,13 +130,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/** rw, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, /dev/rfkill rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index dd3f253db..14d73b356 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -30,20 +30,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={FlushCaches,SetLink*} - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved @{exec_path} mr, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index d62e509e9..311135eae 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,6 +11,9 @@ profile makepkg @{exec_path} { include include + signal send set=winch peer=pacman, + signal send set=winch peer=pacman//systemctl, + network inet stream, network inet6 stream, network inet dgram, @@ -48,6 +51,7 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/gnupg/ r, owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index c1dbb002e..48778d6e4 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -37,9 +37,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - ptrace (read), + ptrace read, - signal (send) set=(usr1) peer=gvfsd, + signal send set=usr1 peer=gvfsd, + signal receive set=winch peer=makepkg//sudo, @{exec_path} mrix, @@ -194,6 +195,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability sys_resource, signal send set=cont peer=child-pager, + signal receive set=winch peer=makepkg//sudo, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index 84ba22fba..3a803756c 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -29,8 +29,8 @@ profile aa-enforce @{exec_path} { owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw, owner /var/lib/snapd/apparmor/{,**} rw, - /tmp/@{rand8} rw, - /tmp/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, owner @{PROC}/@{pid}/fd r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7c65b9be2..f2ff96df4 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -35,7 +35,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-*.txt rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index d58a8d042..c00490a75 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -94,6 +94,7 @@ profile calibre @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/net/route r, @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, owner @{PROC}/@{pid}/cmdline r, @@ -102,24 +103,10 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat{,m} r, - owner @{PROC}/@{pid}/stat{,m} r, - owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/stat{,m} r, - owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{PROC}/@{pid}/cmdline r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{PROC}/@{pid}/cmdline r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny @{PROC}/sys/kernel/random/boot_id r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 2ec1a542f..8b3786eb5 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -13,6 +13,7 @@ profile filezilla @{exec_path} { include include include + include include include include @@ -27,7 +28,7 @@ profile filezilla @{exec_path} { network netlink dgram, network netlink raw, - signal (send) set=(term, kill) peer=fzsftp, + signal send set=(term, kill) peer=fzsftp, @{exec_path} mr, @@ -65,6 +66,7 @@ profile filezilla @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + /dev/tty rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index a3d655d87..7d9a5f59e 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -7,7 +7,7 @@ abi , include -@{name} = {F,f}reetube{,-vue} +@{name} = {F,f}ree{T,t}ube{,-vue} @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -16,11 +16,11 @@ include profile freetube @{exec_path} { include include + include include include include include - include include network inet dgram, @@ -35,13 +35,8 @@ profile freetube @{exec_path} { @{open_path} rPx -> child-open-strict, - /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{run}/user/@{uid}/ r, - - owner /dev/tty@{int} rw, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> freetube//&xdg-settings, include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index edacd92e1..30ce7e1e8 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -92,14 +92,9 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner @{tmp}/git-difftool.*/ rw, # For diffs - owner @{tmp}/git-difftool.*/right/{,**} rw, - owner @{tmp}/git-difftool.*/left/{,**} rw, - owner @{tmp}/* rw, - owner @{tmp}/tmp*/ rw, # For TWRP-device-tree-generator - owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/{,**} rw, # For diffs deny owner @{code_config_dirs}/** rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, @@ -126,6 +121,7 @@ profile git @{exec_path} flags=(attach_disconnected) { profile ssh flags=(attach_disconnected) { include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index e50d95764..73474ce7f 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -31,11 +31,13 @@ profile signal-desktop @{exec_path} { @{exec_path} mrix, - @{bin}/basename rix, + # @{bin}/basename rix, @{bin}/getconf rix, - @{bin}/xdg-settings rix, @{open_path} rPx -> child-open-strict, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, + audit @{lib_dirs}/chrome-sandbox rPx, @{lib_dirs}/chrome_crashpad_handler rix, diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index 416c97d72..a31d4c601 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -26,6 +26,7 @@ profile telegram-desktop @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -47,10 +48,13 @@ profile telegram-desktop @{exec_path} { owner @{tmp}/@{hex32}-?@{uuid}? rwk, audit owner /dev/shm/#@{int} rw, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl index 63e8b7c79..5e7320a63 100644 --- a/apparmor.d/profiles-s-z/udisksctl +++ b/apparmor.d/profiles-s-z/udisksctl @@ -10,6 +10,10 @@ include @{exec_path} = @{bin}/udisksctl profile udisksctl @{exec_path} { include + include + include + + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index 127945081..3646a616d 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -22,15 +22,22 @@ profile waybar @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/machine-id r, + owner @{user_config_dirs}/waybar/{,**} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/system/cpu/present r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/spl/kstat/zfs/arcstats r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/rfkill r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 8dd2f237c..5c18c1b28 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -71,7 +71,7 @@ @{file_explorers_names} = dolphin nautilus thunar # Text editors -@{text_editors_names} = code gedit mousepad gnome-text-editor +@{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers @{document_viewers_names} = evince okular *{F,f}oliate YACReader