diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 943b98114..00fa0bcdd 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -12,6 +12,7 @@ include profile telegram-desktop @{exec_path} { include include + include include include include @@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - # Needed when saving files as, or otherwise the app crashes /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 3dcdf22df..90e96c33c 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) { /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, # For pendrives - @{MOUNTS}/*/ r, - @{MOUNTS}/*/**/ r, - @{MOUNTS}/*/.disk/info r, - @{MOUNTS}/*/dists/**/binary-*/Packages{,.gz} r, - @{MOUNTS}/*/dists/**/i18n/Translation-en{,.gz} r, + @{MOUNTS}/ r, + @{MOUNTS}/**/ r, + @{MOUNTS}/.disk/info r, + @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, + @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, /var/lib/apt/lists/** rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 791e78fa7..ee1c9726d 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -22,16 +23,12 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index fd3deefa2..3741b43b8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index 5992fe6fa..7fafce5ac 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gdm-x-session profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=term peer=gdm{,-session-worker}, # signal (send) set=term peer=unconfined, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index b109d9c45..ee7cddc9f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include include include @@ -34,6 +35,7 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index e034e54a4..853c4a1c0 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -21,7 +21,7 @@ profile gnome-disk-image-mounter @{exec_path} { # Allow to mount user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2fe0625ac..3fbaa6b45 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -39,7 +39,7 @@ profile gnome-music @{exec_path} { /etc/machine-id r, owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/media-art/album-*.jpeg rw, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index c58fc2457..b2e371b92 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -16,7 +16,7 @@ profile gnome-photos-thumbnailer @{exec_path} { /usr/share/mime/mime.cache r, owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 6769ca2ff..94abd03f3 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -14,7 +14,6 @@ profile gnome-shell-hotplug-sniffer @{exec_path} { /usr/share/mime/mime.cache r, - owner @{MOUNTS}/*/ r, owner @{MOUNTS}/**/ r, owner @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 1053f8bd9..47b278088 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,7 +9,8 @@ include @{exec_path} = /{usr/,}bin/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include + include + include include include @@ -35,8 +36,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/doc/ rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 2deea0302..24b5d3407 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -40,7 +40,7 @@ profile tracker-extract @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner /tmp/tracker-extract-3-files.*/{,*} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 397e03ead..8191ba33f 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -44,7 +44,7 @@ profile tracker-miner @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, - owner @{MOUNTS}/*/{,**} r, + owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, owner @{user_config_dirs}/tracker3/{,**} rwk, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 85c9dbd5b..b5f78f2cd 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/light-locker profile light-locker @{exec_path} { include + include include include include @@ -27,10 +28,6 @@ profile light-locker @{exec_path} { # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/pci[0-9]*/**/vendor r, @{sys}/devices/pci[0-9]*/**/device r,