From 175e2c3dc3ff1dc8bce2ed312141cec5f2065dfd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:16:35 +0200 Subject: [PATCH 001/155] feat(profile): ensure all access to udev/data is documented. Cleanup some rule to wide in udev/data --- apparmor.d/abstractions/devices-usb-read | 6 ++--- apparmor.d/abstractions/disks-read | 6 ++--- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/groups/_full/systemd | 5 ++-- apparmor.d/groups/_full/systemd-user | 5 ++-- apparmor.d/groups/bluetooth/bluetoothd | 2 +- .../groups/browsers/firefox-kmozillahelper | 2 +- apparmor.d/groups/filesystem/udisksd | 8 +++--- apparmor.d/groups/freedesktop/boltd | 2 +- .../groups/freedesktop/iio-sensor-proxy | 2 +- apparmor.d/groups/freedesktop/upowerd | 12 ++++----- apparmor.d/groups/freedesktop/xorg | 10 +++---- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++----- apparmor.d/groups/gnome/gsd-power | 4 +-- apparmor.d/groups/hyprland/hyprland | 8 +++--- apparmor.d/groups/kde/baloo | 4 +-- apparmor.d/groups/kde/baloorunner | 4 +-- apparmor.d/groups/kde/dolphin | 4 +-- apparmor.d/groups/kde/kwin_wayland | 8 +++--- apparmor.d/groups/lxqt/lxqt-panel | 3 ++- apparmor.d/groups/network/ModemManager | 14 +++++----- apparmor.d/groups/network/NetworkManager | 6 ++--- apparmor.d/groups/network/dhcpcd | 2 +- apparmor.d/groups/network/nmcli | 2 +- apparmor.d/groups/steam/steam | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 4 +-- apparmor.d/groups/systemd/systemd-journald | 26 +++++++++---------- apparmor.d/groups/systemd/systemd-logind | 12 ++++----- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- .../groups/ubuntu/subiquity-console-conf | 8 +++--- apparmor.d/groups/virt/libvirtd | 6 ++--- apparmor.d/groups/virt/virtnodedevd | 16 ++++++------ apparmor.d/profiles-a-f/cheese | 3 ++- apparmor.d/profiles-a-f/fwupd | 4 ++- apparmor.d/profiles-g-l/kodi | 3 ++- apparmor.d/profiles-g-l/labwc | 7 +++-- apparmor.d/profiles-m-r/power-profiles-daemon | 4 +-- apparmor.d/profiles-s-z/tlp | 2 +- 41 files changed, 120 insertions(+), 118 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 6bd0c8015..836a5f3c7 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -20,9 +20,9 @@ @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 872b0c552..e33ec2c3f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -101,13 +101,13 @@ @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 7fc20c293..5a14b6f7a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -36,7 +36,7 @@ #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 184084fed..d1ee8fd1f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/**/uevent r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index a5bb4d926..b3d751be1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{run}/systemd/notify w, @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index e5443f505..2800a4124 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index efcad72f8..8e86ee126 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -44,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 2ff82f5e4..91d4a8569 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -112,11 +112,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 8f55bb375..5b72f8427 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -27,7 +27,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify w, - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index d7122bdbb..1201e1277 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4061af4c8..d58385831 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -28,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 12c82aea3..c14af6d6e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -92,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 85b3268dd..41b62df09 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -159,7 +159,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 25ce44f14..d4c8b1ba2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -315,19 +315,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a330b76ce..2fa0b0b1f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -58,9 +58,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 9f2e7583d..8c8c32da0 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -42,15 +42,15 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index e53bf4039..29447e22a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -44,8 +44,8 @@ profile baloo @{exec_path} { @{run}/mount/utab r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 8410408b3..702288a1f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,8 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2ed232f85..5d51f8c4d 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -105,8 +105,8 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 101affd8c..afaac3bd0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -110,15 +110,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 650a7e402..f817be69d 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -63,7 +63,8 @@ profile lxqt-panel @{exec_path} { owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/class/i2c-adapter/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 59efc3201..8220516bf 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+pnp:* r, - @{run}/udev/data/+serial*:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fc5c39ea7..f7c0dd084 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -125,9 +125,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 51cf215f9..7bcd9efba 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -49,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 43a9d0dca..6065a12da 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -25,7 +25,7 @@ profile nmcli @{exec_path} { owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 151a3e161..5009b970d 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -190,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0fd89c199..a0d1471f9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -59,7 +59,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 374e9c4ae..b5a966f37 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b0a646f66..ad3d96990 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+ieee80211:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 1fb3f6cb3..271354633 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -68,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 5105c69b8..ccb6d9629 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -71,7 +71,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 552bd9996..bf983ea7a 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -22,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index a5b65f5b3..8f673e261 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c90e80af9..fa3005a65 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -164,9 +164,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 957164e85..fb593068e 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,18 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -71,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, @{sys}/devices/@{pci}/net/{,**} r, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index cadd1beab..b308439c3 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -36,10 +36,11 @@ profile cheese @{exec_path} { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, - @{run}/udev/data/c@{dynamic}:@{int} r, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 019aec5a9..ff9af895d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -109,7 +109,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 5b90dd3ef..9d6c9d1c2 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 93234bf52..ab624f099 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 636f41754..b8f50ff7c 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,8 +28,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0dccf1a23..1592d3aee 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -68,7 +68,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/drivers/*/ r, From 616486d5bad36719f8096ec9a4d540f199a603ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:18:58 +0200 Subject: [PATCH 002/155] tests(check): add a check to ensure all udev/data access are documented. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 9ecd809bf..9bafd5104 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -108,6 +108,7 @@ _check() { _check_trailing _check_indentation _check_vim + _check_udev # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue @@ -485,6 +486,15 @@ _res_vim() { fi } +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi + fi +} + check_sbin() { local file name jobs mapfile -t sbin Date: Mon, 11 Aug 2025 19:38:24 +0200 Subject: [PATCH 003/155] feat(profile): fwupd: allow access to dbx --- apparmor.d/profiles-a-f/fwupd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ff9af895d..7a00455a6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -83,7 +83,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - # In order to get to this file, the attach_disconnected flag has to be set + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @@ -97,6 +97,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, From f35b64bcaec3dd23c11ab55c1b0fd3f0a21d849b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 22:27:08 +0200 Subject: [PATCH 004/155] fix(profile): missing documented udev/data --- apparmor.d/abstractions/app/udevadm | 3 ++- apparmor.d/groups/_full/sd | 3 ++- apparmor.d/groups/systemd/systemd-analyze | 3 ++- apparmor.d/profiles-a-f/ddcutil | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index e8414d026..d659143d6 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index da14cabf3..13864f2dd 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -187,7 +187,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { owner @{run}/*/** rw, @{run}/udev/**/ r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, @{sys}/fs/bpf/systemd/{,**} w, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 7310586e8..3ae0a7143 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -47,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index 7c353bf65..d8cb23a5c 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -28,7 +28,8 @@ profile ddcutil @{exec_path} { owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r, From 8b64d7dd46364e84e435564f7e9d474d1c7c9154 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 09:27:12 +0200 Subject: [PATCH 005/155] feat(abs): electron: add cgroup memory data. --- apparmor.d/abstractions/common/electron | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 6216ec939..cd7e9e8f1 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -73,6 +73,13 @@ @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{PROC}/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, From aab12e6948e27fcb9351ae3f5beb5ff49e4db619 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 11:07:08 +0200 Subject: [PATCH 006/155] fix(profile): dockerd can be installed in both bin or sbin depending of the package source. --- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 44d9f64a0..aa0a9ed58 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dockerd +@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin profile dockerd @{exec_path} flags=(attach_disconnected) { include include diff --git a/tests/sbin.list b/tests/sbin.list index a8b439478..8ee14fd21 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -171,6 +171,7 @@ dmidecode dmraid dmsetup dnsmasq +dockerd dosfsck dosfslabel dpkg-preconfigure From 2aa0d89f84ac2ad51b021568ce52243c9fc595a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 12:45:55 +0200 Subject: [PATCH 007/155] feat(profile): update firefox stack. --- apparmor.d/groups/browsers/firefox-glxtest | 2 +- apparmor.d/groups/browsers/torbrowser-glxtest | 4 +++- apparmor.d/profiles-s-z/thunderbird | 6 +++--- apparmor.d/profiles-s-z/thunderbird-glxtest | 4 +++- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 97e5645b9..30281f2f4 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -16,8 +16,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index 4939edfbf..2d8697259 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -17,11 +17,13 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, + / r, + owner @{PROC}/@{pid}/cmdline r, deny @{config_dirs}/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 02046580c..da163c2ae 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} { +profile thunderbird @{exec_path} flags=(attach_disconnected) { include include include @@ -23,8 +23,8 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/vaapitest rPx, + @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, + @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 626896a09..4f25e0862 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -15,11 +15,13 @@ profile thunderbird-glxtest @{exec_path} { include include include - include include + include @{exec_path} mr, + / r, + owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, From a5aa13923b657c9dee16d11c378d80215b14d949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 16:11:10 +0200 Subject: [PATCH 008/155] build: add support for building multiple version of the package. --- Justfile | 10 +++++----- pkg/prebuild/cli/cli.go | 28 +++++++++++++++++++++------- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/Justfile b/Justfile index ffed74ef5..3e16a75e8 100644 --- a/Justfile +++ b/Justfile @@ -63,27 +63,27 @@ build: [group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build - @./{{build}}/prebuild + @./{{build}}/prebuild --buildir {{build}} [group('build')] [doc('Prebuild the profiles in complain mode')] complain: build - @./{{build}}/prebuild --complain + ./{{build}}/prebuild --buildir {{build}} --complain [group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build - @./{{build}}/prebuild --full + @./{{build}}/prebuild --buildir {{build}} --full [group('build')] [doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build - @./{{build}}/prebuild --complain --full + @./{{build}}/prebuild --buildir {{build}} --complain --full [group('build')] [doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build - @./{{build}}/prebuild --complain --full --debug + @./{{build}}/prebuild --buildir {{build}} --complain --full --debug [group('install')] [doc('Install prebuild profiles')] diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 51636f848..000aa65f9 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -26,13 +26,15 @@ const ( internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. ` ) @@ -41,9 +43,11 @@ var ( complain bool enforce bool full bool + debug bool abi int version float64 file string + buildir string ) func init() { @@ -61,6 +65,9 @@ func init() { flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") flag.StringVar(&file, "F", "", "Only prebuild a given file.") flag.StringVar(&file, "file", "", "Only prebuild a given file.") + flag.StringVar(&buildir, "b", "", "Root build directory.") + flag.StringVar(&buildir, "buildir", "", "Root build directory.") + flag.BoolVar(&debug, "debug", false, "Enable debug mode.") } func Configure() { @@ -87,6 +94,9 @@ func Configure() { if complain { builder.Register("complain") + if debug { + builder.Register("debug") + } } else if enforce { builder.Register("enforce") } @@ -106,6 +116,10 @@ func Configure() { if version != nilVer { prebuild.Version = version } + if buildir != "" { + prebuild.Root = paths.New(buildir) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") + } if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) sync.Paths = []string{file} From 5c8c5029e085cc2ba88a28eb5df3c26229f4b49f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:12:51 +0200 Subject: [PATCH 009/155] tests(packer): add lxqt test image, update xfce. --- tests/cloud-init/archlinux-lxqt.user-data.yml | 28 ++++++++ tests/cloud-init/archlinux-xfce.user-data.yml | 36 +--------- tests/cloud-init/archlinux.yml | 67 +++++++++++++++++++ 3 files changed, 96 insertions(+), 35 deletions(-) create mode 100644 tests/cloud-init/archlinux-lxqt.user-data.yml diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml new file mode 100644 index 000000000..208f7dab5 --- /dev/null +++ b/tests/cloud-init/archlinux-lxqt.user-data.yml @@ -0,0 +1,28 @@ +#cloud-config + +packages: *lxqt-packages + +# lxqt-wayland-session kwin + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 5bab9bf08..afba57519 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,40 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - just - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - xfce4 - - xfce4-goodies - - lightdm - - lightdm-gtk-greeter +packages: *xfce-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index 5299efda0..629de7d02 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -88,6 +88,73 @@ kde-packages: &kde-packages - konsole - okular +lxqt-packages: &lxqt-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - lxqt + - breeze-icons + - sddm + +xfce-packages: &xfce-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub From d8875ab8260f500175d5030c90142a94a4e324e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:51:39 +0200 Subject: [PATCH 010/155] build: minor build system improvement. --- Justfile | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Justfile b/Justfile index 3e16a75e8..e434586c4 100644 --- a/Justfile +++ b/Justfile @@ -5,7 +5,7 @@ # Usage: `just` # See https://apparmor.pujol.io/development/ for more information. -# Build setings +# Build settings destdir := "/" build := ".build" pkgdest := `pwd` / ".pkg" @@ -251,7 +251,7 @@ create dist flavor: --memorybacking source.type=memfd,access.mode=shared \ --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ - --os-variant "`just get_osinfo {{dist}}`" \ + --os-variant "`just _get_osinfo {{dist}}`" \ --graphics spice \ --audio id=1,type=spice \ --sound model=ich9 \ @@ -282,18 +282,18 @@ destroy dist flavor: [group('vm')] [doc('Connect to the machine')] ssh dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` [group('vm')] [doc('Mount the shared directory on the machine')] mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' [group('vm')] [doc('Unmout the shared directory on the machine')] umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' [group('vm')] @@ -307,6 +307,7 @@ list: images: #!/usr/bin/env bash set -eu -o pipefail + mkdir -p {{base_dir}} ls -lh {{base_dir}} | awk ' BEGIN { printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") @@ -343,19 +344,19 @@ init: [group('tests')] [doc('Run the integration tests')] -integration: - bats --recursive --timing --print-output-on-failure tests/integration +integration name="": + bats --recursive --timing --print-output-on-failure tests/integration/{{name}} [group('tests')] [doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init [group('tests')] [doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ [group('tests')] @@ -367,18 +368,16 @@ tests-resync dist flavor: (mount dist flavor) \ [group('tests')] [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) - ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[private] -get_ip dist flavor: +_get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[private] -get_osinfo dist: +_get_osinfo dist: #!/usr/bin/env python3 osinfo = { "archlinux": "archlinux", From 38ac0f580d10b6e0950e9505095e669bd69529d1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:40:52 +0200 Subject: [PATCH 011/155] feat(profile): revisit electron based profiles. - cleanup and enforce signal - fix discord fix #773 #777 --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/network/mullvad-gui | 4 ++-- apparmor.d/profiles-a-f/discord | 7 +++++-- apparmor.d/profiles-a-f/element-desktop | 4 +--- apparmor.d/profiles-a-f/freetube | 3 +-- apparmor.d/profiles-g-l/linuxqq | 1 - apparmor.d/profiles-m-r/protonmail | 10 +++++----- apparmor.d/profiles-s-z/signal-desktop | 23 +++++----------------- apparmor.d/profiles-s-z/wechat | 1 - apparmor.d/profiles-s-z/wechat-appimage | 1 - apparmor.d/profiles-s-z/wechat-universal | 1 - dists/flags/main.flags | 4 +--- 13 files changed, 22 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index cd7e9e8f1..175fa8b2d 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -16,6 +16,7 @@ include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 870d4cfe4..cb7edf822 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - @{sh_path} rix, + @{sh_path} r, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index ae9b4cb7f..e4d2e9a2c 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -26,9 +26,9 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rix, + @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, owner @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index ddcd99add..8765084ff 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} { +profile discord @{exec_path} flags=(attach_disconnected) { include include include @@ -31,13 +31,15 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, + @{bin}/lsb_release rPx, + @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, + /etc/ r, /etc/lsb-release r, owner @{user_videos_dirs}/{,**} rwl, @@ -52,6 +54,7 @@ profile discord @{exec_path} { owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, include if exists diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 05a900889..91de37e58 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -30,11 +30,9 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, + @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 8250cf8aa..f4284873d 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -34,10 +34,9 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> freetube//&xdg-settings, + @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, deny /dev/ r, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index dd653bd61..08b8cf7a1 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -17,7 +17,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c6d309a94..c2c81d4da 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(complain) { +profile protonmail @{exec_path} flags=(attach_disconnected) { include include include @@ -24,12 +24,13 @@ profile protonmail @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, - ptrace read peer=xdg-settings, + ptrace read peer=protonmail//&xdg-settings, @{exec_path} mrix, - @{bin}/xdg-settings Px, - @{open_path} Px -> child-open, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, + @{open_path} Px -> child-open, owner @{user_config_dirs}/ibus/bus/ r, @@ -38,7 +39,6 @@ profile protonmail @{exec_path} flags=(complain) { owner @{tmp}/gtkprint_ppd_@{rand6} rw, include if exists - } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b6a477707..0bedb90e1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,7 +21,6 @@ profile signal-desktop @{exec_path} { include include include - include include include @@ -31,31 +30,19 @@ profile signal-desktop @{exec_path} { network inet6 stream, network netlink raw, + ptrace read peer=signal-desktop//&xdg-settings, + @{exec_path} mrix, - @{bin}/getconf rix, - @{open_path} rPx -> child-open-strict, + @{lib_dirs}/chrome_crashpad_handler rix, + @{lib_dirs}/chrome-sandbox rPx, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - - audit @{lib_dirs}/chrome-sandbox rPx, - @{lib_dirs}/chrome_crashpad_handler rix, + @{open_path} rPx -> child-open-strict, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, - - /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index 5764deb77..ccff2f95f 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -17,7 +17,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index e7eabe6ec..07f67fb59 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -17,7 +17,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 3824f9526..b1c8aded2 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -18,7 +18,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 22e9a1447..a62a6847d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -75,7 +75,7 @@ deb-systemd-invoke complain debconf-escape complain decibels complain dino attach_disconnected,complain -discord complain +discord attach_disconnected,complain discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain @@ -281,8 +281,6 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain -signal-desktop attach_disconnected,complain -signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain snap complain From ba35a7933c9f5acceb37066d11be61eef4bf433b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:41:53 +0200 Subject: [PATCH 012/155] fix(profile): comment problematic rule Fix #769 --- apparmor.d/groups/browsers/brave | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 0decb0d4b..4c38e0ce5 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -18,7 +18,7 @@ profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), signal receive peer=brave//&brave-crashpad-handler, From eda29668ae75d8b42412f35e3737230c6a626c09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 18:23:30 +0200 Subject: [PATCH 013/155] fix(profile): ensure signal-desktop has the attach_disconnected flag. Fix 812 --- apparmor.d/profiles-s-z/signal-desktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 0bedb90e1..dc0bc381e 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} { +profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include From 10e57f01a64eb821dcecc03a7298cf049454253e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:27:44 +0200 Subject: [PATCH 014/155] feat(abs): add /etc/xdg/menus and session files to kde-strict. See #811 --- apparmor.d/abstractions/desktop | 7 +++++++ apparmor.d/abstractions/kde-strict | 7 +++++++ apparmor.d/groups/browsers/firefox-kmozillahelper | 5 ----- apparmor.d/groups/kde/dolphin | 6 ------ 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..878f6f794 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -49,6 +49,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -63,6 +65,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 56aa88798..428aa93f3 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -25,6 +25,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -39,6 +41,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 8e86ee126..ade169f25 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -27,16 +27,11 @@ profile firefox-kmozillahelper @{exec_path} { /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices5/ r, owner @{user_share_dirs}/kservices5/searchproviders/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 5d51f8c4d..3879fa6a5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -51,8 +51,6 @@ profile dolphin @{exec_path} { /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -89,10 +87,6 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, owner @{user_config_dirs}/knfsshare.lock rwk, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, - owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, From e09586e01dd015c26462c410bc0caee9a00e8e8d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:30:43 +0200 Subject: [PATCH 015/155] feat(abs): freedesktop: add more path for recently-used files. see #811 --- apparmor.d/abstractions/freedesktop.org.d/complete | 5 +++++ apparmor.d/groups/gnome/gnome-tweaks | 1 - apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/kde/dolphin | 1 - apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/okular | 2 -- 6 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 220883c29..df445cef5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -23,4 +23,9 @@ owner @{HOME}/.icons/{,**} r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 96e83b846..7f93b7864 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -36,7 +36,6 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/recently-used.xbel* rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 2a2ea034f..6cae2d49b 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -71,8 +71,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 3879fa6a5..2d3b099d7 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -74,7 +74,6 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index fdc0730c4..1ee022dc6 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -38,7 +38,6 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7618a10d4..7cd628b09 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -69,8 +69,6 @@ profile okular @{exec_path} { owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, - owner @{user_share_dirs}/recently-used.xbel.lock rk, owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, From c02674593d00754b54f3329d1ac75ab0c44af571 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:34:48 +0200 Subject: [PATCH 016/155] feat(profile): update kde profiles see #811 --- .../groups/freedesktop/xdg-desktop-portal-kde | 16 ++++++++++++++++ apparmor.d/groups/kde/kalendarac | 5 +++++ apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 4 ---- apparmor.d/groups/kde/ksmserver | 3 --- apparmor.d/groups/kde/kwalletmanager | 3 --- apparmor.d/groups/kde/kwin_x11 | 5 +++-- apparmor.d/groups/kde/okular | 14 +++++--------- .../groups/kde/plasma-browser-integration-host | 6 ------ apparmor.d/groups/kde/plasma_session | 1 - apparmor.d/groups/kde/systemsettings | 3 --- apparmor.d/profiles-m-r/pinentry-qt | 2 ++ 12 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 8c1c1686f..bd5981dcf 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -11,6 +11,7 @@ include profile xdg-desktop-portal-kde @{exec_path} { include include + include include include include @@ -30,6 +31,12 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker /usr/share/plasma/look-and-feel/** r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, owner @{HOME}/ r, @@ -39,12 +46,21 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, + + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, owner @{PROC}/@{pid}/mountinfo r, + /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index a45652c7b..e9ae78457 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -34,6 +34,11 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kalendaracstaterc rw, + owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, + owner @{user_state_dirs}/kalendaracstaterc.lock rwk, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c9fa538df..2ef26836d 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -84,6 +84,7 @@ profile kded @{exec_path} { /var/lib/dbus/machine-id r, / r, + @{efi}/ r, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 9da19046d..0e8ba3395 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -18,15 +18,11 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index eb53bc078..6d515fb18 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -49,9 +49,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index dc64cbb9e..5ffcafd4f 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -36,9 +36,6 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, - owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index e05e443ff..8400c8cb6 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -25,10 +25,12 @@ profile kwin_x11 @{exec_path} { @{exec_path} mrix, @{sh_path} rix, + @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi + /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, @@ -47,6 +49,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kaccessrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -54,8 +57,6 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_share_dirs}/kwin/scripts/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7cd628b09..acd9b7430 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -42,8 +42,6 @@ profile okular @{exec_path} { /etc/fstab r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, / r, @{MOUNTS}/ r, @@ -51,19 +49,17 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okular-generator-popplerrc r, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index dce3545f7..e17d4c5f1 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -21,16 +21,10 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, - /etc/xdg/menus/applications-merged/ r, - /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 1fbeda384..5d3812594 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -36,7 +36,6 @@ profile plasma_session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/ r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6..b41dac08a 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -57,7 +57,6 @@ profile systemsettings @{exec_path} { /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -90,8 +89,6 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 3c5ec0a94..66729769f 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -17,6 +17,8 @@ profile pinentry-qt @{exec_path} { include include + ptrace read peer=gpg-agent, + @{exec_path} mr, /etc/machine-id r, From ace53f3002531730a262245b27d62c16a65efc7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:35:19 +0200 Subject: [PATCH 017/155] feat(profile): openvpn need to load module. See #811 --- apparmor.d/groups/network/openvpn | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index a6ff1a939..b5a6b83ef 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -27,17 +27,12 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { include include - # Needed to remove the following errors: - # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) - # Exiting due to fatal error - capability net_admin, - - # These are needed when user/group are set in a OpenVPN config file - capability setuid, - capability setgid, - - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability net_admin, # create tun + capability setgid, # when user/group are set in a OpenVPN config file + capability setuid, + capability sys_module, network inet dgram, network inet6 dgram, From d51b386d13540c6ff55317cc588734451a6e0f4c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:36:05 +0200 Subject: [PATCH 018/155] feat(abs): pager: improve integration with opensuse. See #811 --- apparmor.d/abstractions/app/pager | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 1557b78ef..30acc5612 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -21,6 +21,8 @@ /usr/share/file/misc/** r, /usr/share/nvim/{,**} r, + @{etc_ro}/lesskey.bin r, + @{HOME}/.lesshst r, owner @{HOME}/ r, From b1b3ee8321d2a269ef2e3e24ff8a367cbed46adc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:38:15 +0200 Subject: [PATCH 019/155] feat(abs): add tty/drivers to pgrrep/pkill subprofiles. see #811 --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/kde/kded | 2 -- apparmor.d/groups/procps/pgrep | 2 -- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index d6b7ba8a7..0ec14bea0 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -24,6 +24,7 @@ @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ef26836d..ef81b95d1 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -160,8 +160,6 @@ profile kded @{exec_path} { include include - @{PROC}/tty/drivers r, - include if exists } diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 950aeb99e..489f55bd7 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -14,8 +14,6 @@ profile pgrep @{exec_path} { @{exec_path} mr, - @{PROC}/tty/drivers r, - include if exists } From e15bd7bea03e25b4b27423a3e36e3530be89f21d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:40:17 +0200 Subject: [PATCH 020/155] feat(abs): improve vim integration with common editors. see #811 --- apparmor.d/abstractions/app/editor | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 2bd14077b..b33dbc7f4 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,9 +12,10 @@ @{sh_path} rix, @{bin}/nvim mrix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, + @{bin}/vim* mrix, @{bin}/which{,.debianutils} rix, + /usr/share/doc/{,**} r, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, /usr/share/vim/{,**} r, @@ -24,8 +25,9 @@ /etc/xdg/nvim/* r, owner @{HOME}/.selected_editor r, - owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vim/{after/,}spell/{,**} rw, + owner @{HOME}/.vim/** r, + owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, owner @{HOME}/ r, From e2b1547bf11bf305b49881fa12fa0688fb5d88db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:41:26 +0200 Subject: [PATCH 021/155] feat(profile): ssh: add ssh.hmac Similar to newest version of sshd with sshd.hmac see #811 --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 43fbddc63..75a25771f 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -26,6 +26,7 @@ profile ssh @{exec_path} { @{exec_path} mrix, @{bin}/@{shells} rUx, + @{bin}/ssh.hmac r, @{lib}/{,ssh/}ssh-sk-helper rix, From 44a6bc86e6cf25b344d76ab36a345d1181aaab20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:43:15 +0200 Subject: [PATCH 022/155] feat(tunable): add `bin` to XDG_BIN_DIR. So it can get allowed/denied by profile using user_bin_dirs. see #811 --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c791f5376..398fe20f4 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}=".local/bin" +@{XDG_BIN_DIR}="bin" ".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From b90a2a89fe095d3de5be2d139eeaaaa1065815be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:44:10 +0200 Subject: [PATCH 023/155] feat(abs): app-open: kde opener need system id. see #811 --- apparmor.d/abstractions/app/open | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 9d0da2199..243d18261 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -33,8 +33,7 @@ include include include - - /etc/xdg/menus/ r, + include owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, From d09f5d055f5f0d91e7dc1e64dda621e62aea4a1e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:16 +0200 Subject: [PATCH 024/155] feat(profile): improve dbus definitions. --- .../bus/org.freedesktop.ScreenSaver | 5 +++++ .../bus/org.freedesktop.portal.Desktop | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- .../gnome/evolution-addressbook-factory | 1 + .../groups/gnome/gnome-extension-gsconnect | 4 +++- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 20 +++++-------------- apparmor.d/groups/systemd/resolvectl | 1 + apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/terminator | 5 +++++ 10 files changed, 28 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 43ed93af6..f73768e9f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -9,6 +9,11 @@ member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label=gjs-console), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 5e5967a1a..2753a6602 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -36,6 +36,11 @@ member=Register peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop/** + interface=org.freedesktop.portal.Request + member=Response + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 4fb1764bc..167e66d65 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -6,7 +6,7 @@ #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 9f18395f2..3d83232e1 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -26,6 +26,7 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3cf92d613..64568eab0 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -36,9 +37,10 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} dbus eavesdrop bus=session, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d4c8b1ba2..95874290f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -18,6 +18,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f7c0dd084..01de67a18 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,22 +50,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher + member=Action peer=(name=org.freedesktop.nm_dispatcher), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*), - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=:*, label="@{p_bluetoothd}"), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label="@{p_bluetoothd}"), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq + interface=org.freedesktop.NetworkManager.dnsmasq + member=SetServersEx + peer=(name=@{busname}, label=dnsmasq), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index dd5bdb3d4..58f2d88f8 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -22,6 +22,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1ec4eeea3..a3a093c85 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -35,6 +35,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index d71ccf802..59c78396d 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -29,6 +29,11 @@ profile terminator @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + @{exec_path} mr, @{bin}/ r, From 20546d37a0f7aa3bb26c01659e64187a8bf22f49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:48 +0200 Subject: [PATCH 025/155] feat(profile): fprintd needs sys_admin see #811 --- apparmor.d/profiles-a-f/fprintd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 1d00dce88..8a5f9c01a 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -15,6 +15,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, From 112d54907ec106665dbd3e9660b43e132879add9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:53:52 +0200 Subject: [PATCH 026/155] feat(profile): thunderbird/firefox: move rules needed in both programs. --- apparmor.d/abstractions/app/firefox | 3 +++ apparmor.d/groups/browsers/firefox | 3 --- apparmor.d/profiles-s-z/thunderbird-glxtest | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 85922664b..68fb14887 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -100,6 +100,9 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, owner @{tmp}/remote-settings-startup-bundle- rw, owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index fe8507219..bac81c847 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -64,9 +64,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4f25e0862..4dc891361 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -11,7 +11,7 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} { +profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include include From 9c9af1d821a7eb85547484ce4563cce0d7909743 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:59:20 +0200 Subject: [PATCH 027/155] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/gpg/gpg | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 5 +++++ 6 files changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 6a01796ff..b65823520 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c081d53c3..5b62fa30c 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -27,7 +27,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 017083eaf..c767d2f02 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -36,6 +36,8 @@ profile grub-probe @{exec_path} { /dev/**/ r, /dev/mapper/control w, + deny mqueue (read, getattr) type=posix /, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 01de67a18..6b444093c 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -71,6 +71,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rPx, @{bin}/netconfig rPUx, @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 83806e753..bff816339 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -15,7 +15,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, @{sh_path} rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb..a4fc278f0 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,6 +16,8 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/cpio ix, + @{bin}/dpkg Cx -> child-dpkg, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @@ -25,6 +27,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, @{sbin}/blkid Px, + @{sbin}/cryptsetup PUx, + @{sbin}/dmsetup Px, + @{sbin}/iucode_tool ix, /usr/share/mdadm/mkconf Px, @{bin}/* mr, From 5f368403b343df0dd3d23d10a2b58896c6b7c2f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:27:34 +0200 Subject: [PATCH 028/155] Revert "feat(tunable): add `bin` to XDG_BIN_DIR." This reverts commit 44a6bc86e6cf25b344d76ab36a345d1181aaab20. --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 398fe20f4..c791f5376 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}="bin" ".local/bin" +@{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From 753d36cfa337a37a3aead1cf1e9781553a5cbd22 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:29:54 +0200 Subject: [PATCH 029/155] fix(profile): manually deny path in git Needed as 44a6bc86e6cf25b344d76ab36a345d1181aaab20 raise merged rule with conflicting x modifiers errors. --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 425fe2f14..0538f5da0 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -38,6 +38,7 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, + deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" From 7d49a1628e1c67457780d8f5b372bc804d021917 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:32:27 +0200 Subject: [PATCH 030/155] fix(abs): avahi socket path. --- apparmor.d/abstractions/common/app | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 74c82f92a..3029fb80b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -67,7 +67,7 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. + @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, From 6739b238cef5bf052371ad4fe67f31c65dd107f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:33:29 +0200 Subject: [PATCH 031/155] feat(abs): base-strict: allow communication to children and stacked profiles. --- apparmor.d/abstractions/base-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 818a4937f..22ca5ec5e 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -67,8 +67,9 @@ # Allow unconfined processes to us via unix sockets unix receive peer=(label=unconfined), - # Allow communication to children profiles + # Allow communication to children and stacked profiles signal peer=@{profile_name}//*, + signal peer=@{profile_name}//&*, unix type=stream peer=(label=@{profile_name}//*), # Allow us to create abstract and anonymous sockets From 3d329fdef8801c3fc892e33fa3876bf96ed37d70 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:39:35 +0200 Subject: [PATCH 032/155] feat(profile): minor profiles improvement. --- apparmor.d/groups/freedesktop/colord | 4 +++- apparmor.d/groups/freedesktop/pipewire | 2 ++ apparmor.d/groups/kde/kscreenlocker_greet | 2 ++ apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/systemd/systemd-delta | 4 ++-- apparmor.d/groups/systemd/systemd-detect-virt | 7 +++++++ apparmor.d/profiles-a-f/cheese | 6 +++++- 7 files changed, 22 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ee2cdf42e..81d0c9f6b 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -59,7 +59,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index ad4eb57c5..97e3c6119 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -47,6 +47,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{tmp}/librnnoise-@{int}.so rm, + @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, @@ -62,6 +63,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, @{sys}/module/apparmor/parameters/enabled r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index dd3a6b42b..ddd14b5c2 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -25,6 +25,8 @@ profile kscreenlocker_greet @{exec_path} { network netlink raw, + ptrace read peer=ksmserver, + signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index 5f09af5cc..e953834a7 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -74,6 +74,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/cockpit/active.issue r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 7cf546a56..311636d95 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal (send) peer=child-pager, + signal send peer=child-pager, @{exec_path} mr, - @{bin}/less rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 35f4afbc4..01e49025f 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -21,6 +21,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, + @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,6 +30,12 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, + @{sys}/firmware/uv/prot_virt_guest r, + @{sys}/hypervisor/properties/features r, + + @{PROC}/xen/capabilities r, + + /dev/cpu/@{int}/msr r, include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b308439c3..b89fa42f2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Roman Beslik +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -41,7 +42,10 @@ profile cheese @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From aafcd1c861c4ea9afdf0bc535b2bc10e50fa81ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 17:21:24 +0200 Subject: [PATCH 033/155] feat(profile): simplify ssh home path. --- apparmor.d/groups/ssh/ssh | 4 +--- apparmor.d/groups/ssh/ssh-keygen | 8 ++++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 75a25771f..03236196c 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -36,9 +36,7 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - owner @{HOME}/@{XDG_SSH_DIR}/ r, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 397ffdcd6..b55824e58 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,13 +15,13 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ w, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, - /tmp/snapd@{int}/*_*{,.pub} w, - /tmp/snapd@{int}/*.key{,.pub} w, + owner /tmp/snapd@{int}/*_*{,.pub} w, + owner /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, From c29b4ba536ba0b625955d85f912ece0ef12f2318 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:03:36 +0200 Subject: [PATCH 034/155] feat(profile): various security/linter improvement - Ignore some rule from the linter - Move some bin to subprofile --- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/pacman/pacdiff | 6 +----- apparmor.d/profiles-a-f/baobab | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-m-r/mimetype | 6 +++--- apparmor.d/profiles-s-z/tomb | 2 +- apparmor.d/profiles-s-z/xarchiver | 11 ++++------- tests/check.sh | 5 ++++- tests/sbin.list | 1 + 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index da5da33a1..9be1f3258 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/ldconfig.real Cx -> ldconfig, @{sbin}/update-rc.d Cx -> rc, + #aa:lint ignore=too-wide # Maintainer scripts can legitimately start/restart anything # PU is only used as a safety fallback. @{bin}/** PUx, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e58c9d8b3..a814eaaa9 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -61,8 +61,8 @@ profile reportbug @{exec_path} { /usr/share/bug/*/{control,presubj} r, + #aa:lint ignore=too-wide /etc/** r, - /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 497386125..cab9eed4b 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, @@ -30,11 +31,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{bin}/rm rix, @{bin}/sed rix, @{bin}/tput rix, - @{bin}/vim rix, - - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{user_cache_dirs}/vim/{,**} rw, # packages files / r, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index cd1e7563f..654e40117 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -19,6 +19,7 @@ profile baobab @{exec_path} { @{open_path} rPx -> child-open-help, + #aa:lint ignore=too-wide # As a directory tree analyzer it needs full access to the filesystem / r, /** r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index e7bfafaac..5ec394807 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -28,6 +28,7 @@ profile file-roller @{exec_path} { # Archivers @{archive_path} rix, + #aa:lint ignore=too-wide # Full access to user's data @{MOUNTS}/** rw, owner @{HOME}/** rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index cf8431c7a..91d021fae 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -19,14 +19,14 @@ profile mimetype @{exec_path} { /usr/share/mime/aliases r, /usr/share/mime/magic r, + # To read files + owner /** r, #aa:lint ignore=too-wide + owner @{user_share_dirs}/mime/**.xml r, owner @{user_share_dirs}/mime/globs r, owner @{user_share_dirs}/mime/aliases r, owner @{user_share_dirs}/mime/magic r, - # To read files - /** r, - include if exists } diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 93e29bcfa..9b0912bd9 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -67,7 +67,7 @@ profile tomb @{exec_path} { @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, - @{bin}/e2fsc rPUx, + @{sbin}/e2fsck rPx, @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index f38a69224..4d2766101 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -40,13 +40,10 @@ profile xarchiver @{exec_path} { owner @{HOME}/.bz2 rw, - / r, - /home/ r, - #owner @{HOME}/ r, - #owner @{HOME}/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - /tmp/ r, + #aa:lint ignore=too-wide + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, owner @{tmp}/** rw, @{PROC}/@{pid}/mountinfo r, diff --git a/tests/check.sh b/tests/check.sh index 9bafd5104..60e23c694 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -171,6 +171,9 @@ _check_abstractions() { _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done + if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then + _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" + fi } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') @@ -222,7 +225,7 @@ readonly TRANSITION_MUST_PC=( # Must transition to 'Px' ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' - sysctl kmod pgrep pkexec sudo systemctl udevadm + sysctl kmod pgrep pkill pkexec sudo systemctl udevadm fusermount fusermount3 fusermount{,3} nvim vim sensible-editor ) diff --git a/tests/sbin.list b/tests/sbin.list index 8ee14fd21..16073f0d2 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -761,6 +761,7 @@ ugc umount.nfs umount.nfs4 umount.udisks2 +unbound unconfined undump.bt unix_chkpwd From c51943934ed4a99105a75eda382a5df6959ad6b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:04:35 +0200 Subject: [PATCH 035/155] feat(tunable): add x64 to @{arch} --- apparmor.d/tunables/multiarch.d/system | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 359d1b878..0eae0fde3 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -20,6 +20,7 @@ @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files +# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ # Common places for EFI @@ -29,7 +30,7 @@ # ---------------- # Common architecture names -@{arch}=x86_64 amd64 i386 i686 +@{arch}=x86_64 x64 amd64 i386 i686 # Dbus unique name @{busname}=:1.@{u16} :not.active.yet From 483c0c107d611502578e12d9355004644f715e0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:22:07 +0200 Subject: [PATCH 036/155] build: enable re-attach disconnected path by default Ignored on Ubuntu 25.04 and abi3.0 --- apparmor.d/tunables/multiarch.d/system | 5 ++-- pkg/prebuild/cli/cli.go | 11 +++++++- pkg/prebuild/prepare/attach.go | 37 ++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 pkg/prebuild/prepare/attach.go diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0eae0fde3..06cb42000 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,8 +69,9 @@ @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# Attachment path for attach_disconnected.path flag. -# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. +# Default attachment path when re-attached path disconnected path is ignored. +# Disabled on abi3 and Ubuntu 25.04+ +# See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ alias // -> /, diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 000aa65f9..237b0f0f8 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,7 +108,16 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // builder.Register("attach") // Re-attach disconnected path + // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak + // that fully prevent profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + if prebuild.Distribution != "ubuntu" { + builder.Register("attach") + prepare.Register("attach") + } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + builder.Register("attach") + prepare.Register("attach") + } default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go new file mode 100644 index 000000000..a87ff9071 --- /dev/null +++ b/pkg/prebuild/prepare/attach.go @@ -0,0 +1,37 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2025 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterTask(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Configure tunable for re-attached path", + }, + }) +} + +func (p ReAttach) Apply() ([]string, error) { + res := []string{} + + // Remove the @{att} tunable that is going to be defined in profile header + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + return res, path.WriteFile([]byte(out)) +} From b0c661931af5b376f79d1dadff684e3d165b4f64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:23:05 +0200 Subject: [PATCH 037/155] fix(build): fsp regex. --- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/cli/cli.go | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index ed2285de5..8f7fb4202 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -11,7 +11,7 @@ import ( var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `r(PU|U)x,`, `rPx,`, + `(PU|U)x,`, `Px,`, }) ) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 237b0f0f8..ab221e485 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,6 +139,9 @@ func Configure() { func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if full { + logging.Success("Full system policy enabled") + } if prebuild.Version != nilVer { logging.Success("AppArmor version targeted: %.1f", prebuild.Version) } From c0de5ff71d9a2aec1b3c778cc31261a2961f54c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:38:46 +0200 Subject: [PATCH 038/155] ci: also run the integration tests on manual run. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bcb817338..9f2addf88 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -83,7 +83,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build - if: github.ref == 'refs/heads/dev' + if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' steps: - name: Check out repository code uses: actions/checkout@v4 From be341a4ca8c48c03823609d143ea98e2a5c7b860 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:43:21 +0200 Subject: [PATCH 039/155] feat(profile): syncthing 2.0 uses sqlite. --- apparmor.d/profiles-s-z/syncthing | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 6ff0fe7e9..4553ac1e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -35,6 +35,9 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, From e8055098033abd1f3f73d2a1578f2dc07f7b1ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:42:44 +0200 Subject: [PATCH 040/155] build: opensuse: improve post install script. --- dists/apparmor.d.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index bf97705a6..d60841581 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -32,8 +32,8 @@ just complain just destdir="%{buildroot}" install %posttrans -rm -f /var/cache/apparmor/* 2>/dev/null -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +%restart_on_update apparmor %files %license LICENSE From ca24da7a2a4e11def29652d27c49e1ec11539e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:49:43 +0200 Subject: [PATCH 041/155] build(debian): improve post install scripts. --- debian/apparmor.d.postinst | 5 ++++- debian/apparmor.d.postrm | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 4e659173c..fd0ffeb33 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 4e659173c..fd0ffeb33 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 From f5a4acd37e374f1036addc7c2425e578982f6a05 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:13:59 +0200 Subject: [PATCH 042/155] feat(abs): graphics: add cpu_capacity --- apparmor.d/abstractions/graphics | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 37f6be70e..79872ceb4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -14,6 +14,7 @@ @{sys}/bus/pci/devices/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, @{sys}/devices/system/cpu/cpu@{int}/topology/* r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, From 5ee999536ca2f5ae5cfbb999bb20bc7334d278ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:23:33 +0200 Subject: [PATCH 043/155] feat(abs): reorganize the electron & chromium abs. --- apparmor.d/abstractions/app/chromium | 32 ++----------------- apparmor.d/abstractions/common/chromium | 25 +++++++++++---- apparmor.d/abstractions/common/electron | 39 ++--------------------- apparmor.d/groups/network/mullvad-gui | 5 +-- apparmor.d/groups/steam/steam | 8 +++-- apparmor.d/profiles-a-f/deltachat-desktop | 1 + apparmor.d/profiles-a-f/discord | 4 ++- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/linuxqq | 1 + apparmor.d/profiles-m-r/protonmail | 1 + apparmor.d/profiles-s-z/session-desktop | 1 + apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/spotify | 3 +- apparmor.d/profiles-s-z/superproductivity | 1 + apparmor.d/profiles-s-z/vesktop | 2 +- apparmor.d/profiles-s-z/wechat | 1 + apparmor.d/profiles-s-z/wechat-appimage | 1 + apparmor.d/profiles-s-z/wechat-universal | 1 + apparmor.d/profiles-s-z/wemeet | 2 ++ 19 files changed, 46 insertions(+), 85 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index a971ca5a0..8f991c230 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -33,6 +33,7 @@ include include include + include include include include @@ -46,14 +47,6 @@ include include - userns, - - capability setgid, - capability setuid, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - network inet dgram, network inet6 dgram, network inet stream, @@ -112,21 +105,12 @@ /etc/fstab r, /etc/{,opensc/}opensc.conf r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - / r, owner @{HOME}/ r, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, @@ -151,10 +135,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, @@ -163,9 +144,6 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - /dev/shm/ r, - owner /dev/shm/.@{domain}.@{rand6} rw, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -175,10 +153,7 @@ @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/virtual/**/report_descriptor r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -192,18 +167,15 @@ owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, /dev/ r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 9fba7b8bb..78441fe08 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -4,7 +4,13 @@ # SPDX-License-Identifier: GPL-2.0-only # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/chromium instead. +# need to use abstractions/app/chromium instead. + +# It works as a *function* and requires a variable to be provided as *arguments* +# and set in the header of the calling profile. Example: +# +# @{domain} = org.chromium.Chromium +# abi , @@ -22,19 +28,24 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/.@{domain}.@{rand6}/ rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/ rw, owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/SS w, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.@{domain}.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 175fa8b2d..b581c9073 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -7,13 +7,15 @@ # in the header of the calling profile. Example: # # @{name} = spotify -# @{lib_dirs} = /opt/@{name} +# @{domain} = org.chromium.chromium +# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # abi , + include include include include @@ -21,14 +23,6 @@ include include - userns, - - capability setgid, # If kernel.unprivileged_userns_clone = 1 - capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @@ -48,31 +42,7 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_config_dirs}/electron-flags.conf r, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, - - /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -89,15 +59,12 @@ owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index e4d2e9a2c..639d3ce4b 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,6 +7,7 @@ abi , include @{name} = Mullvad?VPN +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -31,10 +32,6 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, - owner @{user_cache_dirs}/dconf/user rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/mullvad-vpn rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 5009b970d..abfab75d7 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -21,10 +21,12 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{domain} = org.chromium.Chromium +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 4f60099a9..87c2bbaba 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,6 +7,7 @@ abi , include +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 8765084ff..3b34d5055 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -8,6 +8,7 @@ abi , include @{name} = discord +@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -48,7 +49,6 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/@{version}/modules/** m, owner "@{tmp}/Discord Crashes/" rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, owner @{tmp}/discord.sock rw, owner @{tmp}/net-export/ rw, @@ -57,6 +57,8 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, + deny ptrace read, + include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index f4284873d..95e37b4d6 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -8,6 +8,7 @@ abi , include @{name} = {F,f}ree{T,t}ube{,-vue} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -39,7 +40,6 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, - deny /dev/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 08b8cf7a1..ff2ffe6b8 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -7,6 +7,7 @@ abi , include @{name} = QQ +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/QQ/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c2c81d4da..0ac23267b 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -8,6 +8,7 @@ abi , include @{name} = proton-mail "Proton Mail" +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4817f330a..dc190b787 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {S,s}ession +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index dc0bc381e..bf0740919 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -8,6 +8,7 @@ abi , include @{name} = signal-desktop{,-beta} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} @{config_dirs} = @{user_config_dirs}/Signal{,?Beta} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3a093c85..3c18059a9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,6 +8,7 @@ abi , include @{name} = spotify +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -57,8 +58,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c0b940478..c49a96621 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -7,6 +7,7 @@ abi , include @{name} = super{p,P}roductivity +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index b4b63fe74..4f4432650 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -8,6 +8,7 @@ abi , include @{name} = vesktop +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -33,7 +34,6 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open, - owner /tmp/.org.chromium.Chromium.@{rand6} mr, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, @{sys}/devices/@{pci}/usb@{int}/**/interface r, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index ccff2f95f..00fe0a8c5 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -7,6 +7,7 @@ abi , include @{name} = wechat +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 07f67fb59..98ce53f07 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -7,6 +7,7 @@ abi , include @{name} = wechat-appimage +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-appimage/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index b1c8aded2..94da6c60e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -7,6 +7,7 @@ abi , include @{name} = wechat-universal +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-universal/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 4f40ef746..3606533d7 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -6,6 +6,8 @@ abi , include +@{domain} = org.chromium.Chromium + @{exec_path} = @{bin}/wemeet @{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess From e55ace4e0a5646fd1e9ad786a4356689bb668d90 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:07:53 +0200 Subject: [PATCH 044/155] fix(profile): issue with re-attached paths - Add missing att on some profiles - Fix alias / -> // - Fix aa-log att variable resolution fix #813 #814 --- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/abstractions/common/bwrap | 4 +++- apparmor.d/groups/flatpak/flatpak | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++--- apparmor.d/groups/freedesktop/xwayland | 4 +--- apparmor.d/groups/hyprland/hyprland | 3 +++ apparmor.d/tunables/multiarch.d/system | 2 +- pkg/logs/logs.go | 3 +-- 8 files changed, 15 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index e394c5b99..29c685f55 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -14,6 +14,8 @@ @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, + @{att}/dev/null rw, + /apparmor/.null rw, @{att}/apparmor/.null rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f4630475d..da73b8217 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -38,12 +38,14 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, - owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{att}/ r, + @{att}/@{run}/.userns r, + @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/user/max_user_namespaces r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c34ae962f..fca84002a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -66,7 +66,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - / r, + @{att}/ r, /var/lib/flatpak/{,**} rwlk, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index bc975e4ea..5c62b0771 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -64,9 +64,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, - owner @{att}/ r, + / r, + @{att}/ r, + @{att}/.flatpak-info r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 9b329e06a..e8c94916d 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -41,9 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - @{att}/dev/tty@{int} rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 8c8c32da0..c1e6da4d8 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -62,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, /dev/tty r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 06cb42000..e2f297045 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -74,6 +74,6 @@ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ -alias // -> /, +alias / -> //, # vim:syntax=apparmor diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 2443eaace..b0ae58702 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -64,7 +64,7 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/att/[^/@]+`, `@{att}/`, + `/att/[^/]+/`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, `/usr/sbin`, `@{sbin}`, @@ -86,7 +86,6 @@ var ( `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `1000`, `@{uid}`, - `@{att}//`, `@{att}/`, // Some system glob `:not.active.yet`, `@{busname}`, // dbus unique bus name From d3507e24b94336e8ca5e1ba50887ed0755a7e341 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:09:28 +0200 Subject: [PATCH 045/155] fix(build): ensure post install script do not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index fd0ffeb33..2f8c90ae0 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index fd0ffeb33..2f8c90ae0 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi From 7c427aaae6252ee42e316f83b0faae97cb7a1268 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:10:34 +0200 Subject: [PATCH 046/155] build: do not overwrite steam. --- dists/overwrite | 1 - 1 file changed, 1 deletion(-) diff --git a/dists/overwrite b/dists/overwrite index 5bc00f9fe..c8769ba54 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -20,7 +20,6 @@ os-prober plasmashell signal-desktop slirp4netns -steam systemd-coredump thunderbird virtiofsd From 9110a7012441a1f57566361cc05c65d11a189fb7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:16:31 +0200 Subject: [PATCH 047/155] tests: add debian/ubuntu based tests images. Also some cleanup of tests resources. --- .gitignore | 1 + tests/cloud-init/debian.yml | 5 +++-- tests/cloud-init/debian13-kde.user-data.yml | 9 +++++++++ tests/cloud-init/ubuntu.yml | 1 + tests/cloud-init/ubuntu24-kubuntu.user-data.yml | 1 + tests/cloud-init/ubuntu25-kubuntu.user-data.yml | 9 +++++++++ tests/packer/clean.sh | 1 - tests/packer/init.sh | 5 +++-- tests/packer/variables.pkr.hcl | 4 ++-- tests/requirements.sh | 2 +- 10 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 tests/cloud-init/debian13-kde.user-data.yml create mode 100644 tests/cloud-init/ubuntu25-kubuntu.user-data.yml diff --git a/.gitignore b/.gitignore index d888d6d5c..077d62cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Build .build .logs +.pkg tests/tldr tests/tldr.tar.gz diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index ea3012ad2..b96bb5880 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -23,7 +23,7 @@ core-packages: &core-packages - unattended-upgrades - vim -gnome-packages: &desktop-packages +gnome-packages: &gnome-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -53,7 +53,7 @@ gnome-packages: &desktop-packages - loupe - ptyxis -kde-packages: &kubuntu-packages +kde-packages: &kde-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -79,6 +79,7 @@ kde-packages: &kubuntu-packages # KDE packages for Debian - spice-vdagent - task-kde-desktop + - plasma-workspace-wayland - terminator debian12-runcmd: &debian12-runcmd diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml new file mode 100644 index 000000000..5a4d33bf5 --- /dev/null +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kde-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index 14db33251..1f3563750 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -82,6 +82,7 @@ kubuntu-packages: &kubuntu-packages - spice-vdagent - terminator - kubuntu-desktop + - plasma-workspace-wayland desktop-runcmd: &desktop-runcmd # Add missing snap packages diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml index d4139c2f7..bea74af3a 100644 --- a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -6,3 +6,4 @@ runcmd: *desktop-runcmd write_files: - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml new file mode 100644 index 000000000..bea74af3a --- /dev/null +++ b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index b7650a1d5..f7518a2f6 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -55,7 +55,6 @@ clean_apt() { clean_pacman() { _msg "Cleaning pacman cache" - pacman -Syu --noconfirm pacman -Scc --noconfirm } diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 4e4e1ec99..bf75c0e1e 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu +set -eux _lsb_release() { # shellcheck source=/dev/null @@ -31,7 +31,8 @@ main() { ;; debian | ubuntu) - dpkg -i $SRC/*.deb + apt install -y apparmor-profiles + dpkg -i $SRC/*.deb || true ;; opensuse*) diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 073544f59..a44f98412 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -98,8 +98,8 @@ variable "DM" { img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" } "debian13" : { - img_url = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-amd64-daily.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/SHA512SUMS" + img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" } "ubuntu22" : { img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" diff --git a/tests/requirements.sh b/tests/requirements.sh index efc357ad4..0801ff27d 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -5,7 +5,7 @@ # Dependencies for the bats integration tests -set -eu +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { From 52e9ae9fd621997113f2284b9500a511df9c285f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:29:21 +0200 Subject: [PATCH 048/155] fix(profile): define missing domain. --- apparmor.d/profiles-a-f/element-desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 91de37e58..7891b67e1 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {E,e}lement +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} From 4e70cb4c918013914b2bc4bef750374879ad615d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:57:36 +0200 Subject: [PATCH 049/155] fix(profile): workaround in apparmor issue for attached path. See https://gitlab.com/apparmor/apparmor/-/issues/450 Fix #815 --- apparmor.d/abstractions/common/app | 2 ++ apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/flatpak/flatpak-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/tunables/multiarch.d/system | 1 - pkg/prebuild/prepare/attach.go | 1 + 8 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3029fb80b..3b425e505 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -135,6 +135,8 @@ owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{att}/dev/shm/@{uuid} r, + /dev/hidraw@{int} rw, /dev/input/ r, /dev/input/event@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index a816e58b8..4199e92b1 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,7 +83,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - @{run}/.userns r, @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 8a8d2b901..84e2d7964 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -31,7 +31,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/.var/app/*/**/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5c62b0771..5e27ac845 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -65,8 +65,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, / r, - @{att}/ r, @{att}/.flatpak-info r, + owner /att/**/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index fc11b0700..c9585e2ab 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -52,7 +52,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, / r, - owner @{att}/ r, + owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 93cac619e..d2db2612e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -44,7 +44,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/snap rPx, / r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/ r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index e2f297045..288665770 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -73,7 +73,6 @@ # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ - alias / -> //, # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index a87ff9071..3331c73dc 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -33,5 +33,6 @@ func (p ReAttach) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") return res, path.WriteFile([]byte(out)) } From 58aea2b00d2975372a89db7c32deb6e7d3f35705 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:59:06 +0200 Subject: [PATCH 050/155] build: update flag manifest. --- dists/flags/main.flags | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a62a6847d..057c7c298 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -46,7 +46,7 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws complain +cockpit-ws attach_disconnected,complain cockpit-wsinstance-factory complain cups-backend-beh complain cups-backend-bluetooth complain @@ -110,11 +110,9 @@ flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain -flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain -fstrim complain fuse-overlayfs complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain @@ -159,7 +157,6 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain -gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain @@ -189,7 +186,7 @@ kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain kdump_mem_estimator complain -kdump-config complain +kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain @@ -283,11 +280,11 @@ secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain slirp4netns attach_disconnected,complain -snap complain +snap attach_disconnected,complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-seccomp complain +snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain @@ -388,7 +385,7 @@ update-grub complain update-info-dir complain update-secureboot-policy complain update-shells complain -userdbctl complain +userdbctl attach_disconnected,complain utempter attach_disconnected,complain veracrypt complain virt-manager attach_disconnected,complain From edc2755d615b64b8a05607e62bfe248f58704fde Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:03:17 +0200 Subject: [PATCH 051/155] feat(profile): kde: add initial dbus definition. --- apparmor.d/groups/kde/DiscoverNotifier | 8 +++++ apparmor.d/groups/kde/gmenudbusmenuproxy | 3 ++ apparmor.d/groups/kde/kaccess | 5 +++ apparmor.d/groups/kde/kactivitymanagerd | 4 +++ apparmor.d/groups/kde/kauth-backlighthelper | 2 ++ .../groups/kde/kauth-chargethresholdhelper | 5 +++ apparmor.d/groups/kde/kauth-discretegpuhelper | 4 +++ apparmor.d/groups/kde/kauth-kded-smart-helper | 6 +++- apparmor.d/groups/kde/kcminit | 3 ++ apparmor.d/groups/kde/kde-powerdevil | 15 +++++++++ apparmor.d/groups/kde/kded | 31 +++++++++++++++++-- apparmor.d/groups/kde/kglobalacceld | 3 ++ apparmor.d/groups/kde/kioworker | 3 ++ apparmor.d/groups/kde/konsole | 3 ++ .../groups/kde/kscreen_backend_launcher | 8 ++++- apparmor.d/groups/kde/ksmserver | 11 +++++++ apparmor.d/groups/kde/ksplashqml | 4 +++ apparmor.d/groups/kde/kwalletd | 6 ++++ apparmor.d/groups/kde/kwin_wayland | 12 +++++++ apparmor.d/groups/kde/kwin_wayland_wrapper | 3 ++ apparmor.d/groups/kde/kwin_x11 | 8 +++++ apparmor.d/groups/kde/plasma_waitforname | 1 + apparmor.d/groups/kde/plasmashell | 21 +++++++++++++ apparmor.d/groups/kde/sddm | 15 ++------- apparmor.d/groups/kde/sddm-greeter | 5 +++ apparmor.d/groups/kde/sddm-xsession | 10 ++++++ apparmor.d/groups/kde/startplasma | 5 +++ apparmor.d/groups/kde/systemsettings | 5 +++ apparmor.d/groups/kde/xembedsniproxy | 3 ++ apparmor.d/groups/network/NetworkManager | 3 +- apparmor.d/groups/network/nm-online | 4 +-- apparmor.d/groups/polkit/polkitd | 5 +++ apparmor.d/profiles-m-r/packagekitd | 2 +- 33 files changed, 206 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 3ec36976d..861132887 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,6 +10,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include + include + include + include include include include @@ -23,6 +27,10 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, + #aa:dbus own bus=session name=org.kde.discover.notifier + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + @{exec_path} mr, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index d9879941b..b30e39cdc 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 42c1400ef..65582d1ba 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,10 +10,15 @@ include profile kaccess @{exec_path} { include include + include + include + include include include include + #aa:dbus own bus=session name=org.kde.kaccess + @{exec_path} mr, @{bin}/gsettings rPx, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1ee022dc6..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include @@ -18,6 +19,9 @@ profile kactivitymanagerd @{exec_path} { include include + #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager + #aa:dbus own bus=session name=org.kde.runners.activities + @{exec_path} mr, /etc/xdg/menus/{,*/} r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 61308e83b..cc844ce17 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -16,6 +16,8 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, + #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 8ed8bf82e..119b5508d 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -9,7 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include + include include + include + + #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index f03dfb007..8fcec5a2c 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -9,8 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include + include + include include + #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index cf0caffeb..2e60e6a0a 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,10 +15,14 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + peer=(name=org.freedesktop.DBus, label=kded), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index e11de6a48..bd01bf3c8 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,9 +10,12 @@ include profile kcminit @{exec_path} { include include + include include include + #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit + @{exec_path} mr, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 45c382855..c961ed7a3 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,6 +11,13 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include + include + include + include include include include @@ -20,6 +27,14 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.Policy.Power + + #aa:dbus own bus=session name=local.org_kde_powerdevil + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + #aa:dbus own bus=session name=org.kde.Solid.PowerManagement + + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ef81b95d1..e729ec78b 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -10,9 +10,14 @@ include profile kded @{exec_path} { include include + include + include include + include include + include include + include include include include @@ -35,19 +40,41 @@ profile kded @{exec_path} { signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, + # Owned by KDE + #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + + #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier + #aa:dbus own bus=session name=org.kde.GtkConfig + #aa:dbus own bus=session name=org.kde.kappmenu + #aa:dbus own bus=session name=org.kde.kcookiejar5 + #aa:dbus own bus=session name=org.kde.kded5 + #aa:dbus own bus=session name=org.kde.keyboard + #aa:dbus own bus=session name=org.kde.KeyboardLayouts + #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement + #aa:dbus own bus=session name=org.kde.plasmashell.accentColor + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + #aa:dbus own bus=session name=org.kde.Wacom + #aa:dbus own bus=session name=org.kubuntu.NotificationHelper + #aa:dbus own bus=session name=org.kubuntu.restrictedInstall + + # Talk with KDE + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" + dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=:*, label=kauth-kded-smart-helper), + peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 0e8ba3395..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel + @{exec_path} mr, @{bin}/kstart rPx, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index a5f867378..69b735310 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include + include include include include @@ -32,6 +33,8 @@ profile kioworker @{exec_path} { signal receive set=term peer=plasmashell, signal receive set=term peer=xdg-desktop-portal-kde, + #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 8f9ff48dd..057a23d70 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -13,6 +13,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -22,6 +23,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), + #aa:dbus own bus=session name=org.kde.konsole-@{int} + @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index d4b547c7c..7df07f64b 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,8 +10,14 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include + include + include + include include + include + + #aa:dbus own bus=session name=org.kde.KScreen + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 6d515fb18..f4d54c295 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,6 +11,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include + include include include include @@ -20,6 +23,14 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer + #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld + #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland + @{exec_path} mr, @{bin}/rm rix, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 13f1216a5..e1d5d7394 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include + include include include include @@ -16,6 +18,8 @@ profile ksplashqml @{exec_path} { ptrace read peer=startplasma, + #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index c4e25e9ff..23737f14e 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,6 +11,9 @@ include profile kwalletd @{exec_path} { include include + include + include + include include include include @@ -19,6 +22,9 @@ profile kwalletd @{exec_path} { include include + #aa:dbus own bus=session name=org.freedesktop.secrets + #aa:dbus own bus=session name=org.kde.kwalletd5 + @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index afaac3bd0..a8dc97d53 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,6 +10,10 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include include include include @@ -27,6 +31,14 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { network netlink raw, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd + @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 1a7573d77..a7ce4c2fe 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include + include include include signal (send) set=(term, kill) peer=kwin_wayland, + #aa:dbus own bus=session name=org.kde.KWinWrapper + @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8400c8cb6..f4f955a4f 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include + include include include include @@ -22,6 +24,12 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + + #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index a509135af..d32122a8a 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 07fbc8e14..19106cfa9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,9 +11,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include + include + include include + include include include include @@ -43,6 +47,23 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { signal send, + #aa:dbus own bus=session name=com.canonical.Unity + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.kde.JobViewServer + #aa:dbus own bus=session name=org.kde.klipper + #aa:dbus own bus=session name=org.kde.kuiserver + #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell + #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd + #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil + #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 143df5c9e..9884e2145 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -50,20 +50,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=startplasma-wayland, signal (send) set=(term) peer=startlxqtwayland, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=kscreenlocker-greet), + unix type=stream addr=@@{udbus}/bus/sddm-helper/system, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_logind}"), + #aa:dbus own bus=system name=org.freedesktop.DisplayManager - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f2c133cec..c9aca546a 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -23,6 +23,11 @@ profile sddm-greeter @{exec_path} { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f27f3dc3c..f4256d3d4 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -90,6 +90,16 @@ profile sddm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 004b89d57..651061aa9 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,12 +11,17 @@ profile startplasma @{exec_path} { include include include + include + include include include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index b41dac08a..aab520a72 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,7 +10,9 @@ include profile systemsettings @{exec_path} { include include + include include + include include include include @@ -23,6 +25,9 @@ profile systemsettings @{exec_path} { signal send set=term peer=kioworker, + #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement + #aa:dbus own bus=session name=org.kde.systemsettings + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 6cb93163c..b768e2630 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 6b444093c..f27449e77 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,8 +50,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher - member=Action + member=Action2 peer=(name=org.freedesktop.nm_dispatcher), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq interface=org.freedesktop.NetworkManager.dnsmasq member=SetServersEx diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 189afd74d..710d3115b 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,12 +16,12 @@ profile nm-online @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 4dc1380c0..c2de7f8b6 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -24,6 +24,11 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 + dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label=polkit-kde-authentication-agent), + @{exec_path} mr, @{bin}/pkla-check-authorization rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 9de9cadf9..19f6a515e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -38,7 +38,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit + #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** @{exec_path} mr, From 523522dd1d2fd75efdd5c07e0b91de897be4cf4b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:05:38 +0200 Subject: [PATCH 052/155] feat(profile): improve kde profiles. --- .../polkit-kde-authentication-agent | 5 ++++ .../groups/kde/drkonqi-coredump-cleanup | 3 ++- apparmor.d/groups/kde/kded | 21 +++++++++++++--- apparmor.d/groups/kde/konsole | 4 ++- apparmor.d/groups/kde/kwalletd | 2 ++ apparmor.d/groups/kde/kwin_wayland | 15 ++++++----- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/sddm | 9 ++++++- apparmor.d/groups/kde/sddm-xsession | 13 +++++++--- apparmor.d/groups/kde/startplasma | 1 + apparmor.d/groups/kde/systemsettings | 1 + apparmor.d/groups/kde/wayland-session | 25 +++++++++++++++---- apparmor.d/groups/kde/xembedsniproxy | 1 + apparmor.d/groups/kde/xsettingsd | 1 + 14 files changed, 81 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index f53f4d164..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,6 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include include @@ -26,6 +28,9 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, + #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index c74276b95..199dd9c8f 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -14,7 +14,8 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, include if exists } diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e729ec78b..f2f2489ab 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -18,6 +18,7 @@ profile kded @{exec_path} { include include include + include #aa:only apt include include include @@ -26,16 +27,19 @@ profile kded @{exec_path} { include include include + include include capability sys_ptrace, network inet dgram, + network inet stream, network inet6 dgram, - network netlink raw, + network inet6 stream, network netlink dgram, + network netlink raw, - ptrace (read), + ptrace read, signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, @@ -78,11 +82,13 @@ profile kded @{exec_path} { @{exec_path} mrix, + @{python_path} rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/flatpak rPx, @{bin}/kcminit rPx, + @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{python_path} rix, - @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -94,18 +100,22 @@ profile kded @{exec_path} { #aa:exec kconf_update /usr/share/color-schemes/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -113,6 +123,8 @@ profile kded @{exec_path} { / r, @{efi}/ r, + owner /var/lib/update-manager/meta-release-lts rw, + owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, @@ -125,6 +137,7 @@ profile kded @{exec_path} { @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, + owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 057a23d70..fa55e177d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -56,7 +56,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/konsole.notifyrc r, - owner @{user_config_dirs}/konsolerc{,*} rwlk, + owner @{user_config_dirs}/konsolerc rwl, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + owner @{user_config_dirs}/konsolerc.lock rwk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 23737f14e..ad96cb512 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,6 +45,8 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, + owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index a8dc97d53..243e0adfe 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -23,14 +23,17 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { capability sys_nice, capability sys_ptrace, - ptrace (read), - - signal (receive) set=term peer=sddm, - signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, - signal (send) set=(kill, term) peer=xwayland, - network netlink raw, + ptrace read, + + signal receive set=term peer=sddm, + signal receive set=(kill, term) peer=kwin_wayland_wrapper, + signal send set=(kill, term) peer=xwayland, + + unix type=stream peer=(label=xkbcomp), + unix type=stream peer=(label=xwayland), + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver #aa:dbus own bus=session name=org.kde.kglobalaccel #aa:dbus own bus=session name=org.kde.KWin diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 19106cfa9..68ea4fc0c 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -80,6 +80,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /opt/**/share/icons/{,**} r, /opt/*/**/*.desktop r, /opt/*/**/*.png r, + /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 9884e2145..b62116704 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -66,20 +66,26 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/{,sddm/}sddm-helper-start-x11user rix, @{shells_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, @{bin}/cat rix, - @{sbin}/checkproc rix, + @{bin}/date rix, + @{bin}/dirname rix, @{bin}/disable-paste rix, + @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, @{bin}/dbus-update-activation-environment rPx -> dbus-session, @@ -98,6 +104,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, + @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f4256d3d4..0e9290d53 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -25,9 +25,11 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, + @{bin}/dpkg-query rpx, @{bin}/fish rix, + @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -40,12 +42,13 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, + @{bin}/tr rix, @{bin}/which{,.debianutils} rix, - @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, + @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -60,7 +63,9 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, + @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, + /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -71,7 +76,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - audit owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/loginuid r, @@ -133,6 +138,8 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 651061aa9..5db93719c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -36,6 +36,7 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices{5,6}/{,**} r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index aab520a72..a78225b67 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -80,6 +80,7 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 124cf2fda..56914137b 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -13,14 +13,29 @@ profile wayland-session @{exec_path} { @{exec_path} mr, - @{shells_path} rix, - @{bin}/id rix, + @{shells_path} rix, + @{bin}/cat ix, + @{bin}/dpkg-query px, + @{bin}/gettext ix, + @{bin}/gettext.sh r, + @{bin}/id ix, + @{bin}/locale ix, + @{bin}/locale-check ix, + @{bin}/sed ix, + @{bin}/tr ix, - @{lib}/plasma-dbus-run-session-if-needed rix, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{bin}/startplasma-wayland rPx, + @{bin}/startplasma-wayland Px, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed ix, + /usr/share/im-config/{,**} r, + /usr/share/libdebuginfod-common/debuginfod.sh r, + + /etc/debuginfod/{,**} r, + /etc/default/im-config r, /etc/machine-id r, + /etc/X11/xinit/xinputrc r, + /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index b768e2630..93259822e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -16,6 +16,7 @@ profile xembedsniproxy @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 7cebbb43c..1adbf1d9f 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include + include signal (receive) set=hup peer=kded, From 7e79d5abefa13bd226d4b1f5671b238d168590b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:15:24 +0200 Subject: [PATCH 053/155] feat(profile): improve support for ubuntu & kubuntu. --- apparmor.d/abstractions/bus/org.a11y | 10 ++++++++++ apparmor.d/abstractions/graphics-full | 4 ++++ apparmor.d/abstractions/kde-strict | 3 ++- apparmor.d/abstractions/mesa.d/complete | 2 ++ apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/unattended-upgrade | 12 ++++++----- apparmor.d/groups/bluetooth/blueman-mechanism | 1 + apparmor.d/groups/bluetooth/obexd | 3 ++- apparmor.d/groups/browsers/chromium-wrapper | 1 + apparmor.d/groups/browsers/firefox-glxtest | 2 ++ apparmor.d/groups/bus/dbus-accessibility | 7 ++++--- apparmor.d/groups/bus/ibus-memconf | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 6 ++---- .../groups/freedesktop/xdg-desktop-portal | 4 ++++ .../freedesktop/xdg-desktop-portal-gnome | 4 ++++ apparmor.d/groups/freedesktop/xrandr | 4 ++++ apparmor.d/groups/freedesktop/xwayland | 3 ++- apparmor.d/groups/gnome/deja-dup-monitor | 6 ++++++ apparmor.d/groups/gnome/gdm-generate-config | 3 +-- apparmor.d/groups/gnome/gjs-console | 11 +++++++++- apparmor.d/groups/gnome/yelp | 6 ++++-- apparmor.d/groups/snap/snap | 6 +++++- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snapd | 1 - apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/ubuntu/apport-gtk | 20 +++++++++++++++++-- apparmor.d/groups/ubuntu/apt_news | 1 + apparmor.d/groups/ubuntu/ubuntu-fan-net | 12 +++++++++++ apparmor.d/groups/ubuntu/update-notifier | 2 +- .../groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/groups/utils/login | 1 + apparmor.d/groups/virt/cockpit-tls | 2 +- .../groups/virt/cockpit-wsinstance-factory | 15 ++++++++++++-- apparmor.d/profiles-a-f/dhclient-script | 19 +++++++++++++----- apparmor.d/profiles-a-f/dracut-install | 2 ++ apparmor.d/profiles-g-l/kernel | 4 ++++ apparmor.d/profiles-g-l/lsb-release | 1 + apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/motd | 10 +++++++++- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-m-r/qdbus | 1 + apparmor.d/profiles-s-z/switcheroo-control | 1 + apparmor.d/profiles-s-z/update-info-dir | 2 ++ apparmor.d/profiles-s-z/whoopsie | 10 ++++++++++ apparmor.d/profiles-s-z/wsdd | 1 + apparmor.d/profiles-s-z/xbrlapi | 2 ++ 47 files changed, 180 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 2677d2f61..c99f5f8bd 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -31,6 +31,11 @@ member=Embed peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + # Session bus dbus send bus=session path=/org/a11y/bus @@ -38,6 +43,11 @@ member=GetAll peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1f2b0ffd2..eb60edb4d 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -6,6 +6,10 @@ include + @{sys}/devices/@{pci}/numa_node r, + + @{PROC}/devices r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools rw, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 428aa93f3..fd994d12d 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -20,6 +20,7 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, @@ -44,7 +45,7 @@ owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 1d718c0b1..02a48114c 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -42,4 +42,6 @@ @{PROC}/sys/dev/xe/observation_paranoid r, + /dev/udmabuf rw, # In upstream, but not released yet + # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index b294b928b..af578be50 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/cat ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 9be1f3258..7d2073768 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -168,6 +168,7 @@ profile dpkg-scripts @{exec_path} { /usr/local/ r, /usr/local/lib/ r, + /var/cache/ldconfig/ rw, owner /var/cache/ldconfig/aux-cache* rw, include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 0d4d2ee33..d501a325f 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/touch ix, @{bin}/uname ix, - @{bin}/dpkg-deb px, @{bin}/apt-listchanges Px, + @{bin}/df Px, + @{bin}/dmesg Px, @{bin}/dpkg Px, + @{bin}/dpkg-deb px, @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, @@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, /etc/ssh/moduli r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ufw/{,**} r, /etc/update-manager/{,**} r, /etc/update-motd.d/{,**} r, @@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, - /var/crash/*.crash w, + /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/dpkg/info/{,*} r, @@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/{term,history}.log w, - /var/log/apt/eipp.log.xz w, + /var/log/apt/*.log* rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index ffdda336e..9b4800210 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -11,6 +11,7 @@ include profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include include + include include include diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index efb5f42e4..65ad4c0e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -10,8 +10,9 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include + include + include include network bluetooth stream, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index dea35ae1a..d29dcc630 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 30281f2f4..f9470a59b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -21,6 +21,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index ee787e4e1..f876d1210 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -23,8 +23,9 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=gnome-session-binary, unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), @@ -71,10 +72,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/cmdline r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 803f28a4a..5233f8603 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -11,6 +11,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 25569cd68..80c3135f5 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -76,10 +76,8 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/1/cgroup r, - @{PROC}/1/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5e27ac845..35c81f0bc 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -45,6 +45,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.host.portal.Registry member=Register peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.NetworkMonitor + member=GetStatus + peer=(name=@{busname}, label=snap.*), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6ee4cab6d..bed83627a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -47,6 +47,10 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index fc1935c4b..ed9e7a030 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -12,8 +12,12 @@ profile xrandr @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, + @{run}/sddm/xauth_@{rand6} r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e8c94916d..a8950dbc6 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -20,7 +20,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix type=stream addr=none peer=(label=gnome-shell, addr=none), + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=kwin_wayland), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index af7fa51b0..ac5d6af81 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -33,10 +33,16 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=power-profiles-daemon), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, + @{bin}/deja-dup Px, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index d48b9eff6..9d910cdd2 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,7 +18,7 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, - ptrace read, + # ptrace read, @{exec_path} mr, @@ -45,7 +45,6 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, - @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index fdaa4e825..0cfd4c420 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -64,6 +64,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, + /usr/share/thumbnailers/{,**} r, /tmp/ r, /var/tmp/ r, @@ -76,9 +77,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +98,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/tty rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 058b9697a..1f2fc39d3 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} { +profile yelp @{exec_path} flags=(attach_disconnected) { include include include @@ -30,7 +30,9 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 425d5cd66..ef0a086a8 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -68,9 +68,13 @@ profile snap @{exec_path} flags=(attach_disconnected) { /var/cache/snapd/names r, @{DESKTOP_HOME}/snap/{,**} rw, - @{HOME}/snap/{,**} rw, /snap/{,**} rw, + @{HOME}/snap/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/.snap.mkdir-new/ rw, + owner @{HOME}/.snap/{,**} rw, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 7857bcc6a..9605c544a 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -9,7 +9,7 @@ include @{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} { +profile snap-seccomp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0f975b3b0..7e2c288b6 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -34,7 +34,6 @@ profile snapd @{exec_path} { capability setuid, capability sys_admin, capability sys_ptrace, - capability sys_resource, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e953834a7..ab86f3ad1 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -55,6 +55,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/userdbctl Px, @{lib}/{openssh,ssh}/sshd-auth Px, @{etc_rw}/motd r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 4940653a3..271ff23e4 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -29,10 +29,12 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -43,20 +45,24 @@ profile apport-gtk @{exec_path} { @{bin}/gsettings rPx, @{bin}/ischroot rPx, @{bin}/journalctl rPx, - @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, + @{bin}/readlink rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @{bin}/which{,.debianutils} rix, + @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, + @{bin}/* r, + @{sbin}/* r, + /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, @@ -79,9 +85,10 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/snapd.socket rw, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apport_core_@{rand8} rw, owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, owner @{tmp}/tmp@{rand8}/{,**} rw, @@ -135,6 +142,15 @@ profile apport-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label=unconfined), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label=unconfined), + include if exists } diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 7f4e8fbe2..9734803e4 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -14,6 +14,7 @@ profile apt_news @{exec_path} flags=(attach_disconnected) { include capability chown, + capability fowner, capability kill, capability setgid, capability setuid, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index 74fe83551..ab83ebed4 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,10 +14,22 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, + @{bin}/kmod Cx -> kmod, @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 361290980..9754aa231 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -25,7 +25,7 @@ profile update-notifier @{exec_path} { unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index d65c77a08..4926c0b1c 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -16,7 +16,7 @@ profile update-notifier-crash @{exec_path} { @{bin}/{,e}grep ix, @{bin}/groups Px, @{bin}/systemctl Cx -> systemctl, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{sh_path} mr, /usr/share/apport/apport-checkreports Px, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index c35001498..cf9663e8e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -54,6 +54,7 @@ profile login @{exec_path} flags=(attach_disconnected) { /etc/shells r, /var/lib/faillock/@{user} rwk, + /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 7bf43ed4a..8a345588a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,7 +17,7 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, owner @{run}/cockpit/tls/{,**} rw, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 99db4d614..248ca43e8 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -11,12 +11,23 @@ profile cockpit-wsinstance-factory @{exec_path} { include include - unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, - capability net_admin, + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, + + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=@{busname}, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + @{exec_path} mr, + @{run}/cockpit/wsinstance/https-factory.sock w, + include if exists } diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 3967512b8..9d84a4065 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -46,18 +46,18 @@ profile dhclient-script @{exec_path} { @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/tr rix, @{bin}/xxd rix, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -71,7 +71,16 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + include if exists + } profile run-parts { include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 6deb06eb6..e99760a73 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -13,6 +13,8 @@ profile dracut-install @{exec_path} { @{exec_path} mr, + @{bin}/cp rix, + /etc/modprobe.d/{,**} r, @{sys}/devices/platform/{,**/} r, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 41098ab4b..c46b5556e 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -67,6 +67,10 @@ profile kernel @{exec_path} { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index 23bada3ec..d2d52d362 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -17,6 +17,7 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/ r, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cut rix, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index a4fc278f0..cae5c1c3d 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -17,7 +17,7 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, @{bin}/cpio ix, - @{bin}/dpkg Cx -> child-dpkg, + @{bin}/dpkg Px, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 67f216212..6cdb0fbf8 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,9 +9,13 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include + include capability net_admin, + network inet6 stream, + network inet6 stream, + @{exec_path} mr, @{bin}/ r, @@ -44,7 +48,7 @@ profile motd @{exec_path} { /var/lib/ubuntu-advantage/messages/motd-esm-announce r, /var/lib/cloud/instances/nocloud/cloud-config.txt r, - # /tmp/tmp.@{rand10} rw, + /tmp/tmp.@{rand10} rw, @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @@ -62,6 +66,8 @@ profile motd @{exec_path} { include include + capability net_admin, + network inet dgram, network inet stream, network inet6 dgram, @@ -70,6 +76,8 @@ profile motd @{exec_path} { @{bin}/wget mr, + /etc/wgetrc r, + /tmp/tmp.@{rand10} rw, include if exists diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index b8f50ff7c..178bf28c6 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -38,10 +38,10 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/**/status r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, - @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus index fa67bad97..6816079ac 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-m-r/qdbus @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus profile qdbus @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index e1b9ab7de..eecb98b28 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index 7c835023f..fe06b32af 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -18,6 +18,8 @@ profile update-info-dir @{exec_path} { @{bin}/find ix, @{bin}/rm ix, + /etc/environment r, + include if exists } diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 0c03f4a76..8a2c83904 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -10,10 +10,17 @@ include profile whoopsie @{exec_path} { include include + include capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 dgram, + network netlink raw, + @{exec_path} mr, /var/crash/ r, @@ -22,6 +29,9 @@ profile whoopsie @{exec_path} { /var/lib/whoopsie/whoopsie-id rw, /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + /var/crash/*.@{uid}.crash r, + owner /var/crash/*.@{uid}.uploaded rw, + owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 20575b2a8..fc6955793 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -27,6 +27,7 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, + @{run}/uuidd/request rw, owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index 4ce252e10..b2f94975f 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -16,6 +16,8 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{HOME}/.xsession-errors w, + include if exists } From 4dba131fb38418b898a02aaec92e977fe7a0a4c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:16:24 +0200 Subject: [PATCH 054/155] feat(profile): parser: move sysctl to its own subprofile. --- apparmor.d/groups/apparmor/apparmor.systemd | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index cb862ff48..f58512a02 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} { @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, + + include if exists + } + include if exists } From ba16e3c3405d8d801dfbe332e1a77507be3ea879 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:20:08 +0200 Subject: [PATCH 055/155] feat(profile): cleanup log from well known programs. --- apparmor.d/groups/freedesktop/xdg-mime | 6 ++++++ apparmor.d/groups/utils/blkid | 5 +++-- apparmor.d/groups/utils/lspci | 4 +++- apparmor.d/profiles-g-l/gsettings | 8 ++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 15b73a2d1..9e6dbc2e0 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -59,6 +59,12 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** rw, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + profile bus flags=(complain) { include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 3eee035fe..4105a7419 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -34,8 +34,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - @{run}/cloud-init/ds-identify.log w, # file_inherit - @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, @{PROC}/swaps r, @@ -47,6 +45,9 @@ profile blkid @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + # file_inherit + deny @{run}/cloud-init/ds-identify.log w, + include if exists } diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index e8ba89298..c6ac0fdcd 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -45,7 +45,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/ioports r, - deny @{user_share_dirs}/gvfs-metadata/* r, + # file_inherit + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_cache_dirs}/*/** rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index bbdb3da62..849599977 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -23,6 +23,14 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + # file_inherit + deny network netlink raw, + deny /etc/nsswitch.conf r, + deny /etc/passwd r, + deny /opt/*/** r, + deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + include if exists } From 7f9664c51f0aec674bee24a6460323b78e08735e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:51:10 +0200 Subject: [PATCH 056/155] feat(profile): add profile for mpris-proxy. --- apparmor.d/profiles-m-r/mpris-proxy | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mpris-proxy diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy new file mode 100644 index 000000000..2f31aea79 --- /dev/null +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mpris-proxy +profile mpris-proxy @{exec_path} { + include + include + include + include + include + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 952c4e91a118d8a92f15fef49024665482a8f23d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 20:50:00 +0200 Subject: [PATCH 057/155] feat(aa): add aa --enforce and aa --complain. These are small dev tools, not installed by default. --- cmd/aa/main.go | 131 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 122 insertions(+), 9 deletions(-) diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 5d32e9331..b0737de77 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,6 +8,9 @@ import ( "flag" "fmt" "os" + "os/exec" + "regexp" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -15,12 +18,14 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. + -e, --enforce Switch the given profile(s) to enforce mode. + -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -31,12 +36,19 @@ Options: // Command line options var ( - help bool - path string - systemd bool - lint bool - format bool - tree bool + help bool + path string + systemd bool + enforce bool + complain bool + lint bool + format bool + tree bool +) + +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) + regProfileHeader = regexp.MustCompile(` {\n`) ) type kind uint8 @@ -60,6 +72,10 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") + flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -111,7 +127,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - profile = strings.ReplaceAll(profile, paragraphs[idx], rules.String()+"\n") + fmt.Printf(rules.String() + "\n") } return profile, nil } @@ -152,17 +168,95 @@ func aaFormat(files paths.PathList) error { return nil } +func aaLint(files paths.PathList) error { + for _, file := range files { + fmt.Printf("wip: %v\n", file) + } + return nil +} + +func setFlag(profile string, flag string) (string, error) { + f := aa.DefaultTunables() + if _, err := f.Parse(profile); err != nil { + return profile, err + } + + flags := f.GetDefaultProfile().Flags + switch flag { + case "enforce": + if len(flags) == 0 || slices.Contains(flags, "enforce") { + return profile, nil // Nothing to do + } + idx := slices.Index(flags, "complain") + if idx == -1 { + return profile, nil // No complain flag, nothing to do + } + flags = slices.Delete(flags, idx, idx+1) + + case "complain": + if slices.Contains(flags, "complain") { + return profile, nil // Nothing to do + } + flags = append(flags, "complain") + + default: + return profile, fmt.Errorf("unknown flag: %s", flag) + } + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" + + // Remove all flags definition, then the new flags + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) > 0 { + profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) + } + return profile, nil +} + +func aaSetFlag(files paths.PathList, flag string) error { + for _, file := range files { + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = setFlag(profile, flag) + if err != nil { + return err + } + if err = file.WriteFile([]byte(profile)); err != nil { + return err + } + if err = reloadProfile(file); err != nil { + return err + } + } + return nil +} + func aaTree() error { return nil } +func reloadProfile(file *paths.Path) error { + cmd := exec.Command("apparmor_parser", "--replace", file.String()) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + return fmt.Errorf("apparmor_parser failed: %w", err) + } + return nil +} + func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - return nil, fmt.Errorf("file %s not found", path) + if aa.MagicRoot.Join(arg).Exist() { + res = append(res, aa.MagicRoot.Join(arg)) + } else { + return nil, fmt.Errorf("file %s not found", path) + } case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -190,7 +284,26 @@ func main() { var err error var files paths.PathList switch { + case enforce: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "enforce") + + case complain: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "complain") + case lint: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaLint(files) case format: files, err = pathsFromArgs() From 24f629d326692965d2a17fe948f9500c04e5122b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 21:43:23 +0200 Subject: [PATCH 058/155] fix(profile): few fixes related to reattached paths. See #816 --- apparmor.d/abstractions/common/app | 5 +++++ apparmor.d/groups/flatpak/flatpak | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 ++ apparmor.d/groups/hyprland/hyprland | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3b425e505..b6e6734e6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -114,6 +114,7 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/core/bpf_jit_enable r, + @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -131,10 +132,14 @@ owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index fca84002a..6b671f0e0 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -85,6 +85,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{user_games_dirs}/{,**/} w, owner @{user_documents_dirs}/ w, + @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 4199e92b1..f2cd0295a 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,6 +83,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, + owner @{att}/@{HOME}/.var/app/** rwlkmix, + @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c1e6da4d8..cd3270e49 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -38,7 +38,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.hyprpaper_* rw, owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, From 5e5fde7741402aac6648f6ee6fa4f7bf531e9004 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 21:43:20 +0200 Subject: [PATCH 059/155] feat(abs): add the sqlite abstraction. --- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/sqlite | 23 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-music | 3 +-- apparmor.d/groups/gnome/localsearch | 4 +--- apparmor.d/groups/gnome/tracker-miner | 4 +--- apparmor.d/profiles-a-f/dropbox | 3 +-- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 8 +++---- apparmor.d/profiles-g-l/gpodder | 4 +--- .../profiles-m-r/protonmail-bridge-core | 3 +-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 +-- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/syncthing | 4 +--- apparmor.d/profiles-s-z/wechat-appimage | 4 +--- apparmor.d/tunables/multiarch.d/system | 3 --- 18 files changed, 41 insertions(+), 37 deletions(-) create mode 100644 apparmor.d/abstractions/sqlite diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index b6e6734e6..5072cadfd 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,6 +28,7 @@ include include include + include include include @@ -63,7 +64,6 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, - owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite new file mode 100644 index 000000000..690417f87 --- /dev/null +++ b/apparmor.d/abstractions/sqlite @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# SQlite temporary files (hexadecimal from 12 to 16 characters) + + abi , + + owner /var/tmp/etilqs_@{hex12} rw, + owner /var/tmp/etilqs_@{hex12}@{h} rw, + owner /var/tmp/etilqs_@{hex12}@{hex2} rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{tmp}/etilqs_@{hex12} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 511a48987..2f9795ceb 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -17,6 +17,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -51,8 +52,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 88e2bf327..049b3c402 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -23,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -56,9 +57,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d35f6467f..6b358c8b0 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -21,6 +21,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -63,9 +64,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 15f86bcf5..f40d69799 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -23,6 +23,7 @@ profile dropbox @{exec_path} { include include include + include include @{exec_path} mr, @@ -61,8 +62,6 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 40001da68..a7222a664 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7a00455a6..58ba493cc 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -18,6 +18,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -77,7 +78,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index cebfc955f..46ff3eec5 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -11,10 +11,11 @@ include profile gpo @{exec_path} { include include - include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -36,9 +37,6 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index dd7a20eb7..e60034172 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -14,6 +14,7 @@ profile gpodder @{exec_path} { include include include + include include include @@ -47,9 +48,6 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 45c6766e3..ca9680aea 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -17,6 +17,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -43,8 +44,6 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 02bf3bc56..2ff7b4e71 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -18,6 +18,7 @@ profile psi @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index a455df0e9..f72147cc6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -18,6 +18,7 @@ profile psi-plus @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index d1194abf5..73b8f7488 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -18,6 +18,7 @@ profile quiterss @{exec_path} { include include include + include include include @@ -47,8 +48,6 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 611c8462d..ae22e1f1d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -21,6 +21,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -68,7 +69,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-*-strawberry w, owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 4553ac1e9..83e1b2f45 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -12,6 +12,7 @@ profile syncthing @{exec_path} { include include include + include include network inet dgram, @@ -35,9 +36,6 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 98ce53f07..335860d07 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -19,6 +19,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, network netlink dgram, @@ -59,9 +60,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 288665770..cf8575db0 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,9 +56,6 @@ # System Internal # --------------- -# SQlite temporary files (hexadecimal from 12 to 16 characters) -@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} - # Shortcut for PCI device @{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} @{pci_bus}=pci@{hex4}:@{hex2} From c806ec44eb43bd494672f990e49e29426eb087b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:56:07 +0200 Subject: [PATCH 060/155] feat(profile): update virt profiles. --- apparmor.d/groups/virt/cockpit-bridge | 7 +++++++ apparmor.d/groups/virt/cockpit-session | 7 +++++++ apparmor.d/groups/virt/cockpit-ws | 4 +++- apparmor.d/groups/virt/dockerd | 9 +++++++++ apparmor.d/groups/virt/libvirt-dbus | 9 ++++++--- apparmor.d/groups/virt/libvirtd | 14 ++++++++++---- apparmor.d/groups/virt/virt-aa-helper | 24 ++++++++++++++++++++++-- apparmor.d/groups/virt/virtiofsd | 4 ++-- 8 files changed, 66 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index b6111750b..bf3d48204 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include + include + include include include include @@ -33,6 +35,9 @@ profile cockpit-bridge @{exec_path} { signal send set=term peer=unconfined, signal (send receive) set=term peer=cockpit-bridge//sudo, + #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + @{exec_path} mr, @{bin}/cat ix, @@ -126,6 +131,8 @@ profile cockpit-bridge @{exec_path} { include include + @{run}/udev/data/n@{int} r, # For network interfaces + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 8eafd25a0..3fbefadb7 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -14,10 +14,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { include capability audit_write, + capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, + capability sys_resource, network netlink raw, @@ -26,6 +28,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, + @{bin}/ssh-agent rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -47,6 +50,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /var/log/lastlog rw, /var/log/wtmp rwk, + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 8e3478072..d4fb299fe 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -18,9 +18,11 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) { @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, + /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /etc/cockpit/ws-certs.d/ r, + /usr/share/plymouth/{,**} r, + @{run}/cockpit/session rw, @{run}/cockpit/wsinstance/https@@{hex64}.sock r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index aa0a9ed58..0a214ccd1 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -69,6 +69,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, + @{bin}/tini-static rCx -> tini, @{bin}/git rCx -> git, @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @@ -172,6 +173,14 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { include if exists } + profile tini { + include + + @{bin}/tini-static mr, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 303e906c2..f3bbaf019 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -25,9 +25,12 @@ profile libvirt-dbus @{exec_path} { owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, + + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index fa3005a65..44d6962f5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,6 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -47,12 +48,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, + capability sys_resource, # Needed for vfio - network inet stream, network inet dgram, - network inet6 stream, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, network packet dgram, network packet raw, @@ -146,7 +147,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/{,**} rwk, + /var/lib/libvirt/ rw, + /var/lib/libvirt/** rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -155,6 +157,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, + owner @{run}/user/@{uid}/libvirt/** rwk, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/ rw, @@ -223,6 +228,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 53afe6012..b49368f07 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -21,14 +21,34 @@ profile virt-aa-helper @{exec_path} { @{sbin}/apparmor_parser rPx, - /etc/apparmor.d/libvirt/* r, + @{etc_rw}/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file # System VM images /var/lib/libvirt/images/{,**} r, - /var/lib/nova/instances/_base/* r, + + # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) + /var/lib/nova/images/{,**} r, + /var/lib/nova/instances/_base/{,**} r, + /var/lib/nova/instances/snapshots/{,**} r, + /var/snap/nova-hypervisor/common/instances/_base/{,**} r, + /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, + + # Eucalyptus disks & loader (LP: #564914 #637544) + /var/lib/eucalyptus/instances/**/disk* r, + /var/lib/eucalyptus/instances/**/loader* r, + + # For uvtool + /var/lib/uvtool/libvirt/images/{,**} r, + + # For multipass + /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, + + # Common mount directories + @{MOUNTDIRS}/{,**} r, # User VM images @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 899ecae04..ae7ac5fa9 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} { +@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} flags=(attach_disconnected) { include userns, From f3d209e42a0abaabb0a34491b645f653fc035f16 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:58:46 +0200 Subject: [PATCH 061/155] feat(profile): ensure nautilus can access root files. --- apparmor.d/groups/gvfs/gvfsd-admin | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 4f845f316..e1b16cac3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -22,14 +22,15 @@ profile gvfsd-admin @{exec_path} { /usr/share/mime/mime.cache r, - @{MOUNTS}/{,**} rw, - - @{run}/mount/utab r, - @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/stat r, + #aa:lint ignore=too-wide + # Full access to system's data, but no write access to sensitive system directories + / r, + /*/ r, + /*/** rw, + deny @{sys}/** w, + deny @{PROC}/** w, + deny @{efi}/** w, + deny /dev/** w, include if exists } From 5d7646d9ccfe75becdb2276f77c03088b4cb8616 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:05:34 +0200 Subject: [PATCH 062/155] Update mandb ALLOWED mandb exec @{bin}/bzip2 -> mandb//null-@{bin}/bzip2 comm=mandb requested_mask=x denied_mask=x ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /var/cache/man/52062 comm=bzip2 requested_mask=wr denied_mask=wr ALLOWED mandb//null-@{bin}/bzip2 file_mmap @{bin}/bzip2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r --- apparmor.d/profiles-m-r/mandb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index cd825471d..551a6fec0 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -17,6 +17,8 @@ profile mandb @{exec_path} { @{exec_path} mr, + @{bin}/bzip2 rix, + /etc/man_db.conf r, /etc/manpath.config r, From 4d15570ff1dd23566ab4a9a79f84424791ef86e1 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:20:06 +0200 Subject: [PATCH 063/155] Update grub-mkrelpath ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 789f68287..7b5f7eaa1 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, + /tmp/grub-btrfs.*/@_backup_**/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From 2c64ab91cb58f56590dd9b8a4cfb878da05769ba Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:33:55 +0200 Subject: [PATCH 064/155] Update grub-mkrelpath --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 7b5f7eaa1..d4508b4c5 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_**/boot/ r, + /tmp/grub-btrfs.*/@_backup_*/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From b3dd09ce0198d0724d1f43b099b4e205a5ec9b5b Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:13:22 +0200 Subject: [PATCH 065/155] Update gnome-boxes ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa.rdfs comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa-rubberband.rdf comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb2/2-3/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-6/1-6.2/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-14/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-13/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r --- apparmor.d/groups/gnome/gnome-boxes | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 2462c2071..16aa4e862 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -36,6 +36,7 @@ profile gnome-boxes @{exec_path} { @{bin}/virsh rCx -> virsh, @{bin}/virtqemud rPUx, + /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, /usr/share/gnome-boxes/{,**} r, @@ -55,6 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, + owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, @@ -66,6 +69,7 @@ profile gnome-boxes @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/@{pci}/usb@{int}/** r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From ddee0512797143a1b31dbdf41c965234fc61f8b2 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:35:42 +0200 Subject: [PATCH 066/155] Update gnome-boxes --- apparmor.d/groups/gnome/gnome-boxes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 16aa4e862..1447715b7 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -56,7 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, - owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{user_share_dirs}/gnome-boxes/ rw, + owner @{user_share_dirs}/gnome-boxes/** rwk, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, From 8b49f9ebf5c85f2ca94a8e111b1161e2ebc258ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:52:57 +0200 Subject: [PATCH 067/155] feat(profile): update telegram path fix #821 --- apparmor.d/profiles-s-z/telegram-desktop | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index d967f4229..c1544af72 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/telegram-desktop +@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram profile telegram-desktop @{exec_path} { include include @@ -35,10 +35,11 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{open_path} rPx -> child-open-strict, + @{bin}/systemd-detect-virt rPx, owner @{user_share_dirs}/TelegramDesktop/ rw, owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, From 0f017048e445cb21f764e480d332f64d79b0907d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:57:40 +0200 Subject: [PATCH 068/155] fix(profile): fix att path in flatpak fix #820 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-portal | 4 ++-- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 6b671f0e0..4122e8055 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -77,6 +77,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, # Can create dotfile directories for any app owner @{user_cache_dirs}/*/ w, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 84e2d7964..ac1e41894 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -34,8 +34,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner /att/**/ r, owner @{att}/.flatpak-info r, - owner @{HOME}/.var/app/*/**/.ref rw, - owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/mime/mime.cache r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c6efaf360..be66f7484 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -29,8 +29,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{att}/@{HOME}/.var/app/** r, - owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, From e7a91b307e025498c37b15302f5c8e63d027938d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:01:31 +0200 Subject: [PATCH 069/155] fix(profile): fusermount with fsarchiver fix #817 --- apparmor.d/groups/filesystem/ntfs-3g | 2 ++ apparmor.d/profiles-a-f/fusermount | 1 + 2 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/filesystem/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g index d94d7a0f2..e4749177c 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g +++ b/apparmor.d/groups/filesystem/ntfs-3g @@ -34,6 +34,8 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver + umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 3df041e64..a84b85322 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -30,6 +30,7 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, + umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, From ec73d8349e1461995817bfeb5303dd85ea165543 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:05:05 +0200 Subject: [PATCH 070/155] fix(profile): gnome access to chromium shared. fix #806 --- apparmor.d/groups/gnome/gnome-shell | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 95874290f..0f91b7283 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -303,6 +303,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, From ba217a261ed39ad0ec20e909a89ac3618c8fd180 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:15:38 +0200 Subject: [PATCH 071/155] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 9 ++++----- apparmor.d/groups/flatpak/flatpak-app | 4 ++++ apparmor.d/groups/flatpak/flatpak-portal | 6 ++++++ 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4122e8055..c540b9db8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,14 +40,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, - #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @{exec_path} mr, @@ -138,6 +136,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgconf mr, @{bin}/gpgsm mr, @{bin}/gpg-agent rix, + @{lib}/gnupg/scdaemon rix, @{HOME}/@{XDG_GPG_DIR}/*.conf r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index f2cd0295a..e8fe195fb 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -48,6 +48,10 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal receive set=(int term) peer=flatpak-portal, signal receive set=(int term) peer=flatpak-session-helper, + unix type=seqpacket peer=(label=dbus-session), + # unix type=seqpacket peer=(label=unconfined), + unix type=seqpacket peer=(label=xdg-dbus-proxy), + @{bin}/** rmix, @{lib}/** rmix, /app/** rmix, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index ac1e41894..b86f0a4fd 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -10,6 +10,7 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include + include include capability sys_ptrace, @@ -22,6 +23,11 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/flatpak rPx, From 2d3831221af1662619f74f10a208aff01c599665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:16:43 +0200 Subject: [PATCH 072/155] feat(profile): update cups profiles. --- apparmor.d/groups/cups/cups-browsed | 5 ++++- apparmor.d/groups/cups/ippfind | 22 ++++++++++++++++++++++ apparmor.d/groups/cups/print-backends-cups | 19 +++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/cups/ippfind create mode 100644 apparmor.d/groups/cups/print-backends-cups diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 9498f245a..a7773a57f 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -38,7 +38,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=PrinterDeleted + member={PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), @{exec_path} mr, @@ -52,7 +52,10 @@ profile cups-browsed @{exec_path} { /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + owner @{tmp}/@{hex} rw, + @{run}/cups/certs/* r, + @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind new file mode 100644 index 000000000..c2a944b11 --- /dev/null +++ b/apparmor.d/groups/cups/ippfind @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ippfind +profile ippfind @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/echo rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups new file mode 100644 index 000000000..6ab6007cb --- /dev/null +++ b/apparmor.d/groups/cups/print-backends-cups @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/print-backends/cups +profile print-backends-cups @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 46d4207d716dc895d2ec2405f80ea04fbc2bf336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:22:59 +0200 Subject: [PATCH 073/155] feat(profile): makepkg: handle lsb_release and pager. --- apparmor.d/groups/pacman/makepkg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 583d0b9c0..84136638c 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -29,9 +29,11 @@ profile makepkg @{exec_path} { file, + @{pager_path} Px -> child-pager, @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, + @{bin}/lsb_release Px, @{bin}/sudo Cx -> sudo, deny capability sys_ptrace, From fb82d8d0d60f9c0bc7726c1084bbad3b1b2f26b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:27:22 +0200 Subject: [PATCH 074/155] feat(profile): small gnome related improvement. --- apparmor.d/groups/gnome/evolution-addressbook-factory | 8 ++++---- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 4 ++-- apparmor.d/groups/gnome/papers | 4 ++++ apparmor.d/groups/network/ModemManager | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 3d83232e1..98c94c79e 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -30,7 +30,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -38,12 +38,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -53,7 +53,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 435d055fa..4c84fe822 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -20,6 +20,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability fsetid, capability kill, capability net_admin, + capability sys_admin, capability sys_nice, capability sys_tty_config, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 64568eab0..8887ce797 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -72,6 +72,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{run}/user/@{uid}/gsconnect/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index c10261c02..7e817f490 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -37,6 +37,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/byobu/desktop/{,**} r, /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index f8d4280a0..af5ff2f05 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -20,8 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(hup) peer=gsd-printer, + signal receive set=(term, hup) peer=gdm*, + signal send set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 27000b93a..6f5a137a3 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -25,6 +25,10 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8220516bf..22b94effd 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -17,6 +17,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, network qipcrtr dgram, network netlink raw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 735154b7e..d5c93fc5c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -62,6 +62,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, From b53e0b7d395ee15c7a79c6ce896e4d871d4103d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:30:44 +0200 Subject: [PATCH 075/155] feat(abs): add the oneapi abs. --- apparmor.d/abstractions/oneapi | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/oneapi diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi new file mode 100644 index 000000000..17225ef03 --- /dev/null +++ b/apparmor.d/abstractions/oneapi @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intel oneAPI compiler libraries + + abi , + + /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, + /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + + include if exists + +# vim:syntax=apparmor From 81636262f18b65bc1bf0b09a48fce1df6d9f7b0a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:42:38 +0200 Subject: [PATCH 076/155] feat(abs): add the java abstraction. --- apparmor.d/abstractions/java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/java diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java new file mode 100644 index 000000000..91472d21e --- /dev/null +++ b/apparmor.d/abstractions/java @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/java/{,**} r, + + /etc/java/{,**} r, + /etc/java-*/{,**} r, + + include if exists + +# vim:syntax=apparmor From fbb1768aa699b3f68c4d682b7dacfd362a1d091c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:46:26 +0200 Subject: [PATCH 077/155] feat(abs): add the amdgpu abstraction. --- apparmor.d/abstractions/amdgpu | 30 +++++++++++++++++++++++++++ apparmor.d/abstractions/graphics-full | 2 ++ 2 files changed, 32 insertions(+) create mode 100644 apparmor.d/abstractions/amdgpu diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu new file mode 100644 index 000000000..181d86864 --- /dev/null +++ b/apparmor.d/abstractions/amdgpu @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Kernel Fusion Driver for AMD GPUs + + abi , + + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + + @{sys}/devices/virtual/kfd/kfd/dev r, + @{sys}/devices/virtual/kfd/kfd/topology/ r, + @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, + @{sys}/devices/virtual/kfd/kfd/uevent r, + @{sys}/module/amdgpu/initstate r, + + /dev/kfd rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index eb60edb4d..1e2c97224 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -4,7 +4,9 @@ abi , + include include + include @{sys}/devices/@{pci}/numa_node r, From 0817911b579fa417a46fd03f9dbec5398bc3180e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:48:36 +0200 Subject: [PATCH 078/155] feat(abs): add more core abstractions They will at term replace the freedesktop abstraction. --- apparmor.d/abstractions/desktop-files | 22 ++++++++++++++++++++++ apparmor.d/abstractions/gsettings | 13 +++++++++++++ apparmor.d/abstractions/icons | 26 ++++++++++++++++++++++++++ apparmor.d/abstractions/mime | 17 +++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 apparmor.d/abstractions/desktop-files create mode 100644 apparmor.d/abstractions/gsettings create mode 100644 apparmor.d/abstractions/icons create mode 100644 apparmor.d/abstractions/mime diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files new file mode 100644 index 000000000..d616dad83 --- /dev/null +++ b/apparmor.d/abstractions/desktop-files @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/applications/{,**} r, + @{system_share_dirs}/*ubuntu/applications/{,**} r, + @{system_share_dirs}/gnome/applications/{,**} r, + @{system_share_dirs}/xfce4/applications/{,**} r, + + /etc/gnome/defaults.list r, + /etc/xfce4/defaults.list r, + + /var/lib/snapd/desktop/applications/{,**} r, + + owner @{user_share_dirs}/applications/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings new file mode 100644 index 000000000..788b14486 --- /dev/null +++ b/apparmor.d/abstractions/gsettings @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/glib-2.0/schemas/ r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons new file mode 100644 index 000000000..0dd44e33c --- /dev/null +++ b/apparmor.d/abstractions/icons @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/icons/{,**} r, + @{system_share_dirs}/pixmaps/{,**} r, + + /opt/**/share/icons/{,**} r, + /opt/*/**.desktop r, + /opt/*/**/*.png r, + + /var/lib/snapd/desktop/icons/{,**} r, + + owner @{HOME}/.icons/{,**} r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/icons/{,**} r, + owner @{user_share_dirs}/mime/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime new file mode 100644 index 000000000..6622c99dd --- /dev/null +++ b/apparmor.d/abstractions/mime @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/{,**} r, + + /etc/mime.types r, + + owner @{user_share_dirs}/mime/mime.cache r, + + include if exists + +# vim:syntax=apparmor From 3b2f745bcaa126150e8f3f8f4bda6150a63e950c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 19:25:00 +0200 Subject: [PATCH 079/155] feat(abs): use the new core abs in desktop. --- apparmor.d/abstractions/desktop | 21 ++++++++------------- apparmor.d/abstractions/desktop-files | 5 +++++ apparmor.d/abstractions/gnome-strict | 14 +++++++------- apparmor.d/abstractions/gsettings | 1 + apparmor.d/abstractions/icons | 3 --- apparmor.d/abstractions/kde-strict | 10 +++++----- apparmor.d/abstractions/mime | 7 ++++++- apparmor.d/abstractions/recently-used | 21 +++++++++++++++++++++ 8 files changed, 53 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/abstractions/recently-used diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 878f6f794..4a32a1aa7 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,10 +9,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -24,16 +28,11 @@ member=Introspect peer=(name=@{busname}, label=gnome-shell), - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{version}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{version}/gnome-mimeapps.list r, - - / r, # deny? + / r, owner @{user_share_dirs}/gnome-shell/session.gvdb rw, @@ -49,8 +48,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -65,8 +62,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/@{profile_name}* rwlk, owner @{user_config_dirs}/session/#@{int} rw, @@ -82,7 +77,7 @@ # end /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/*.ids r, # FIXME: a bit too wide /usr/share/icu/@{int}.@{int}/*.dat r, include if exists diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files index d616dad83..9c0a8b941 100644 --- a/apparmor.d/abstractions/desktop-files +++ b/apparmor.d/abstractions/desktop-files @@ -12,11 +12,16 @@ /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/{,**} r, /var/lib/snapd/desktop/applications/{,**} r, owner @{user_share_dirs}/applications/{,**} r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/{,**} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index fadaedcbf..445c62e6b 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,9 +4,14 @@ abi , + include include - include + include include + include + include + include + include include include include @@ -20,14 +25,9 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, / r, diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings index 788b14486..4d22f080b 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gsettings @@ -5,6 +5,7 @@ abi , + @{system_share_dirs}/ r, @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons index 0dd44e33c..6a721b837 100644 --- a/apparmor.d/abstractions/icons +++ b/apparmor.d/abstractions/icons @@ -16,10 +16,7 @@ owner @{HOME}/.icons/{,**} r, - owner @{user_config_dirs}/mimeapps.list r, - owner @{user_share_dirs}/icons/{,**} r, - owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index fd994d12d..5fbdd7869 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,10 +4,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -26,8 +30,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -42,8 +44,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime index 6622c99dd..9a70edaf8 100644 --- a/apparmor.d/abstractions/mime +++ b/apparmor.d/abstractions/mime @@ -9,8 +9,13 @@ @{system_share_dirs}/mime/{,**} r, /etc/mime.types r, + /etc/xdg/{,*-}mimeapps.list r, - owner @{user_share_dirs}/mime/mime.cache r, + /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used new file mode 100644 index 000000000..d3a7ec289 --- /dev/null +++ b/apparmor.d/abstractions/recently-used @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.recently-used.xbel rw, + owner @{HOME}/.recently-used.xbel.@{rand6} rwl, + owner @{HOME}/.recently-used.xbel.lock rwk, + + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + + owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? + + include if exists + +# vim:syntax=apparmor From 1506ae04d8c24763cc83779c14ff321afef458a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:03:19 +0200 Subject: [PATCH 080/155] fix(profile): /att/**/ instead of @{att}/ --- apparmor.d/groups/freedesktop/pipewire | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 97e3c6119..02a370cdc 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -40,7 +40,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, / r, - @{att}/ r, + /att/**/ r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, From cea9fd56141484f5bf3a2b6bf16970789f563e38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:37:48 +0200 Subject: [PATCH 081/155] feat(profile): improve kde integration see #559 --- apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/kde/kded | 3 +++ apparmor.d/groups/kde/kioworker | 1 + .../groups/kde/kscreen_backend_launcher | 2 +- .../groups/kde/ksmserver-logout-greeter | 2 +- apparmor.d/groups/kde/kwalletd | 2 +- apparmor.d/groups/kde/kwin_wayland | 19 ++++++++++++++++++- apparmor.d/groups/kde/plasmashell | 7 ++++--- apparmor.d/groups/kde/sddm | 1 + apparmor.d/groups/kde/wayland-session | 3 +-- 10 files changed, 32 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 861132887..2307c709f 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -39,6 +39,7 @@ profile DiscoverNotifier @{exec_path} { @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index f2f2489ab..e8be8a0dd 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -182,6 +182,9 @@ profile kded @{exec_path} { @{sys}/class/leds/ r, + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 69b735310..71465df97 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -49,6 +49,7 @@ profile kioworker @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 7df07f64b..00b4c9630 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -13,8 +13,8 @@ profile kscreen_backend_launcher @{exec_path} { include include include + include include - include #aa:dbus own bus=session name=org.kde.KScreen #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 67e56c3c6..e5ea15c29 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index ad96cb512..de175635a 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,7 +45,7 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, owner @{tmp}/kwalletd5.* rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 243e0adfe..c11f951be 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -46,6 +46,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, + /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -53,6 +54,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/kglobalaccel/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -179,6 +181,21 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile ibus { + include + include + + @{sh_path} r, + @{lib}/{,ibus/}ibus-x11 rPx, + + /etc/xdg/Xwayland-session.d/10-ibus-x11 r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 68ea4fc0c..e767d7bb5 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -70,7 +70,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rix, + @{bin}/ksysguardd rPUx, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, @@ -104,7 +104,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/appstream.conf r, /etc/fstab r, - /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -166,6 +165,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, + owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -200,9 +200,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/wallpapers/{,**} rw, owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasma/* r, owner @{user_state_dirs}/plasmashellstaterc rw, - owner @{user_state_dirs}/plasmashellstaterc.lock rwk, owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b62116704..b9d07e380 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -92,6 +92,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, @{bin}/Hyprland rPx, + @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/labwc rPx, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 56914137b..c07b06815 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include + include include @{exec_path} mr, @@ -39,8 +40,6 @@ profile wayland-session @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log rw, - /dev/tty rw, - include if exists } From f18fc88253b82ca04bb92c2b68f2efb75afc55b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:39:18 +0200 Subject: [PATCH 082/155] feat(profile): kde: improve dbus rules. --- apparmor.d/groups/kde/baloorunner | 3 +++ apparmor.d/groups/kde/kaccess | 1 + apparmor.d/groups/kde/kactivitymanagerd | 1 + apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 2 ++ apparmor.d/groups/kde/ksmserver-logout-greeter | 9 +++++++++ apparmor.d/groups/kde/ksplashqml | 1 + apparmor.d/groups/kde/kwin_wayland | 2 +- apparmor.d/groups/kde/sddm | 1 + 10 files changed, 21 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 702288a1f..64372f497 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,6 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 65582d1ba..4b1e734ed 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -18,6 +18,7 @@ profile kaccess @{exec_path} { include #aa:dbus own bus=session name=org.kde.kaccess + #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1..ead285e5f 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,6 +11,7 @@ include profile kactivitymanagerd @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index c961ed7a3..01706e649 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -28,6 +28,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, #aa:dbus own bus=system name=org.freedesktop.Policy.Power + #aa:dbus own bus=system name=org.kde.kf5auth path=/ #aa:dbus own bus=session name=local.org_kde_powerdevil #aa:dbus own bus=session name=org.freedesktop.PowerManagement diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e8be8a0dd..93c70329e 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -68,6 +68,7 @@ profile kded @{exec_path} { #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" dbus receive bus=system path=/ diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf928..b9c09d0c6 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e5ea15c29..e46237c2a 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,6 +11,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include + include + include include include include @@ -18,6 +22,11 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate include include + #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt + + #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown + #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland + @{exec_path} mr, @{lib}/os-release r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index e1d5d7394..ea80e28cd 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -11,6 +11,7 @@ profile ksplashqml @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index c11f951be..51f09c8c4 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -35,7 +35,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix type=stream peer=(label=xwayland), #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel #aa:dbus own bus=session name=org.kde.KWin #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect #aa:dbus own bus=session name=org.kde.screensaver diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b9d07e380..08835eaf0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -55,6 +55,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=system name=org.freedesktop.DisplayManager #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" @{exec_path} mr, From 53df40b8ac3b95eab40ed8e4ffe41f9c4f52d2eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:40:36 +0200 Subject: [PATCH 083/155] feat(profile) gvfs: more dbus integration. --- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 1 + apparmor.d/groups/gvfs/gvfsd-network | 10 ++++++++++ apparmor.d/groups/gvfs/gvfsd-recent | 5 +++++ apparmor.d/groups/gvfs/gvfsd-sftp | 26 ++++++++++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-wsdd | 13 ++++++++++++- 6 files changed, 59 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 6c61dbba4..ab786106c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -38,6 +38,11 @@ profile gvfsd-dnssd @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 5812c8a6e..f51ef2afe 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,6 +11,7 @@ include profile gvfsd-http @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index cd64d81ad..1af0a2b37 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -32,6 +32,16 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 042b66a68..1219c8cbd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -33,6 +33,11 @@ profile gvfsd-recent @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, # Full access to user's data diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 157af621c..76bb55e98 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -10,10 +10,36 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include + include + include include include include + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gnome-extension-gsconnect), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=nautilus), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + @{exec_path} mr, @{bin}/ssh rPx, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 209971ac2..0dee4e73b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -13,6 +13,7 @@ profile gvfsd-wsdd @{exec_path} { include include include + include network netlink raw, @@ -31,9 +32,19 @@ profile gvfsd-wsdd @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-network), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/env r, + @{bin}/env mr, @{bin}/wsdd rPx, @{run}/mount/utab r, From 15b8a6cea4dbdbd34a103f643ea13b085e424987 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 21:22:25 +0200 Subject: [PATCH 084/155] fix: linter issue. --- apparmor.d/groups/kde/kwin_wayland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 51f09c8c4..e2e3ecfe0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -184,7 +184,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile ibus { include include - + @{sh_path} r, @{lib}/{,ibus/}ibus-x11 rPx, From bfe35f254e31557bdc75f08a6c0f02f005291b75 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:40:48 +0200 Subject: [PATCH 085/155] feat(profile): small improvement for snap. --- apparmor.d/groups/snap/snap | 16 +++++++++++----- apparmor.d/groups/snap/snap-seccomp | 6 +++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index ef0a086a8..564fd9151 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -18,6 +18,8 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include + capability chown, + capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, @@ -70,10 +72,10 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{DESKTOP_HOME}/snap/{,**} rw, /snap/{,**} rw, - @{HOME}/snap/{,**} rw, - owner @{HOME}/ r, - owner @{HOME}/.snap.mkdir-new/ rw, - owner @{HOME}/.snap/{,**} rw, + @{HOME}/ r, + @{HOME}/.snap.mkdir-new/ rw, + @{HOME}/.snap/{,**} rw, + @{HOME}/snap/{,**} rw, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @@ -102,7 +104,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, /dev/ttyS@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, profile gpg { include diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 9605c544a..2a14fd583 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -27,7 +27,11 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists } From 7b0a78b1f13743eae7f59efbaf501654955e7372 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:42:49 +0200 Subject: [PATCH 086/155] feat(abs): improve dbus core abstractions --- apparmor.d/abstractions/bus/org.freedesktop.Accounts | 4 ++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- .../abstractions/bus/org.freedesktop.portal.Desktop | 10 +++++----- apparmor.d/abstractions/bus/org.freedesktop.secrets | 4 ++-- .../abstractions/bus/org.gnome.Mutter.IdleMonitor | 4 ++-- apparmor.d/abstractions/bus/org.gnome.SessionManager | 5 +++++ apparmor.d/abstractions/bus/org.gtk.Notifications | 2 +- apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker | 2 +- 8 files changed, 19 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index d15288d46..e77f17b88 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -8,8 +8,8 @@ dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + member={FindUserByName,ListCachedUsers,FindUserById} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index aa48e69b1..4ddf95af3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -23,7 +23,7 @@ dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,AllForNow,CacheExhausted} + member={ItemNew,ItemRemove,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), dbus receive bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 2753a6602..4d4faf688 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -14,22 +14,22 @@ dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop + dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index a2389a68a..e30e7b1c2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -8,8 +8,8 @@ dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name="@{busname}", label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 3eb301f18..8eb573f7e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -13,8 +13,8 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name="@{busname}", label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} + peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 0683a98fb..a532b67f2 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -13,6 +13,11 @@ member={RegisterClient,IsSessionRunning} peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications index b9229f204..ad1a1ffad 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -8,7 +8,7 @@ dbus send bus=session path=/org/gtk/Notifications interface=org.gtk.Notifications - member=RemoveNotification + member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index d88afd0ee..c455d4f18 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -21,7 +21,7 @@ dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=Mounted + member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), include if exists From e9f0b77f2d00d748841dd78832368671a3549936 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 18:59:08 +0200 Subject: [PATCH 087/155] feat(profile): update btop. --- apparmor.d/profiles-a-f/btop | 42 ++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bab483dde..4910629ce 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -10,15 +10,16 @@ include profile btop @{exec_path} { include include - include include + capability kill, + capability perfmon, capability sys_ptrace, network netlink raw, - signal (send), - ptrace (read), + signal send, + ptrace read, @{exec_path} mr, @@ -27,33 +28,42 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, + owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**}/ r, @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, + @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, + @{sys}/devices/*/events/{,*} r, + @{sys}/devices/platform/*/ r, + @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, - @{PROC} r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, - owner @{PROC}/@{pid}/mounts r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/comm rw, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From d6885803cbfe3d420b1eb15b9562aae68228ad9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:32:51 +0200 Subject: [PATCH 088/155] fear(abs): update dbus core abs. --- .../bus/org.freedesktop.ColorManager | 7 ++++ .../bus/org.freedesktop.FileManager1 | 5 +++ .../abstractions/bus/org.freedesktop.UPower | 10 ++++- .../bus/org.freedesktop.hostname1 | 1 + .../bus/org.freedesktop.portal.Desktop | 15 +++++++ .../abstractions/bus/org.freedesktop.resolve1 | 6 +-- .../bus/org.gnome.Mutter.IdleMonitor | 2 +- .../bus/org.gnome.Shell.SearchProvider2 | 10 +++++ .../abstractions/bus/org.gtk.vfs.Daemon | 2 +- .../bus/org.kde.StatusNotifierItem | 24 +++++++++++ .../bus/org.kde.StatusNotifierWatcher | 42 ++++++++++++++++++- .../bus/org.mpris.MediaPlayer2.Player | 31 ++++++++------ 12 files changed, 135 insertions(+), 20 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 3a63d95dc..e23092429 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow for color managed applications to communicate with colord + abi , #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -21,6 +23,11 @@ member={DeviceAdded,DeviceRemoved} peer=(name="@{busname}", label="@{p_colord}"), + dbus (receive, send) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceByProperty + peer=(name="@{busname}", label="@{p_colord}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 76095edaf..a08c98b26 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -6,6 +6,11 @@ #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1, label=nautilus), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index d82fbdef0..64b400a3e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,10 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can query UPower for power devices, history and statistics. + abi , #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices @@ -13,7 +16,12 @@ dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties - member=GetDisplayDevice + member={GetDisplayDevice,GetCriticalAction} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.UPower.Device + member={GetHistory,Refresh} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 0a8d86be1..165e3ae6e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -5,6 +5,7 @@ abi , #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4d4faf688..4778dd6dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -11,6 +11,11 @@ member=Read peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} @@ -41,6 +46,16 @@ member=Response peer=(name=@{busname}, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member={StateChanged,CreateMonitor} + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index e2c4b3886..fe6d52dc6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), + member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} + peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 8eb573f7e..d1ff350fc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -14,7 +14,7 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} - peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 index baa96cc78..ae8b68448 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -6,6 +6,16 @@ #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=*Cancel + peer=(name=@{busname}, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 66910007b..93ad35fe5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -7,7 +7,7 @@ dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 43947d52a..87fd06727 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,6 +4,30 @@ abi , + include + + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index d9ca82881..90a78d2ed 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,14 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to display Status Notifier Items in the KDE Plasma systray + abi , - #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{pp_app_indicator}"), + + + dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={Get*,AboutTo*,Event*} + peer=(label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player index d8581be07..d71b7ac1e 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -4,27 +4,34 @@ abi , - #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + # DBus.Properties: receive property changed events dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}), + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}), + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member={Seeked,Next,PlayPause} + peer=(name=@{busname}), + + # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked + dbus send bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.Player member=Seeked - peer=(name=@{busname}), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=@{busname}), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}), + peer=(name=org.freedesktop.DBus), include if exists From eb2def65a1900c681bfc43fd9d4dbb450fc4f4be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:47:00 +0200 Subject: [PATCH 089/155] feat(abs): move some dbus abs to the session subfolder. --- .../{own-accessibility => accessibility/own} | 2 +- .../bus/org.freedesktop.systemd1-session | 16 ------------ .../bus/session/org.freedesktop.systemd1 | 26 +++++++++++++++++++ .../bus/{own-session => session/own} | 2 +- .../bus/{own-system => system/own} | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/kde/kcminit | 2 +- apparmor.d/profiles-s-z/spotify | 1 + pkg/prebuild/directive/dbus.go | 2 +- 11 files changed, 35 insertions(+), 24 deletions(-) rename apparmor.d/abstractions/bus/{own-accessibility => accessibility/own} (93%) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.systemd1-session create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 rename apparmor.d/abstractions/bus/{own-session => session/own} (93%) rename apparmor.d/abstractions/bus/{own-system => system/own} (93%) diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/accessibility/own similarity index 93% rename from apparmor.d/abstractions/bus/own-accessibility rename to apparmor.d/abstractions/bus/accessibility/own index cd8e42e52..d1eab1ce7 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session deleted file mode 100644 index 577cc3ed9..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnit - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 new file mode 100644 index 000000000..0c8185be6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnit + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/session/own similarity index 93% rename from apparmor.d/abstractions/bus/own-session rename to apparmor.d/abstractions/bus/session/own index 91515adb0..d975ebb48 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/session/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/system/own similarity index 93% rename from apparmor.d/abstractions/bus/own-system rename to apparmor.d/abstractions/bus/system/own index d48931f4f..2b1130b32 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/system/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 4e3440656..9a42bcdf1 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal (receive) set=(hup term) peer=gdm-session-worker, signal (receive) set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 8b0ea6307..447c030d6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,7 +14,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index b8da39a4d..35f43a93e 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index bd01bf3c8..4f8b10a32 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,7 +10,7 @@ include profile kcminit @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 3c18059a9..0eb5eab43 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 06fedffb5..891eb9e1d 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -111,7 +111,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { res := aa.Rules{ &aa.Include{ - IsMagic: true, Path: "abstractions/bus/own-" + rules["bus"], + IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", }, &aa.Dbus{ Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], From 30618828097267ced9833cdf16de350eac1b05b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:04:07 +0200 Subject: [PATCH 090/155] feat(profile): update dbus rules for Ubuntu. --- apparmor.d/groups/freedesktop/dconf | 1 + apparmor.d/groups/freedesktop/pipewire-pulse | 3 +++ .../polkit-kde-authentication-agent | 2 ++ apparmor.d/groups/freedesktop/wireplumber | 5 +++++ .../groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-document-portal | 3 ++- .../gnome/evolution-addressbook-factory | 5 +++++ apparmor.d/groups/gnome/gjs-console | 2 ++ apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-characters | 2 +- apparmor.d/groups/gnome/gnome-control-center | 5 ++--- .../groups/gnome/gnome-extension-gsconnect | 2 ++ apparmor.d/groups/gnome/gnome-shell | 4 ++-- apparmor.d/groups/gnome/gnome-software | 11 ++++++++++ apparmor.d/groups/gnome/gnome-system-monitor | 4 ++++ apparmor.d/groups/gnome/gsd-media-keys | 14 +++++-------- apparmor.d/groups/gnome/gsd-power | 1 + .../groups/gnome/gsd-print-notifications | 20 ++++++++++++++++++- apparmor.d/groups/gnome/gsd-xsettings | 12 ++++++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 8 +++++++- apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/gnome/ptyxis-agent | 5 ++++- apparmor.d/groups/network/wg-quick | 1 + apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/systemd/resolvectl | 7 +++++++ .../groups/ubuntu/software-properties-gtk | 6 +++++- apparmor.d/groups/ubuntu/update-notifier | 1 + apparmor.d/profiles-a-f/alacarte | 3 +++ apparmor.d/profiles-a-f/element-desktop | 1 + apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-m-r/pinentry-gnome3 | 4 +++- apparmor.d/profiles-s-z/spotify | 11 ++++++++++ apparmor.d/profiles-s-z/superproductivity | 11 +++++++++- 35 files changed, 142 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index be4972f04..20b453df4 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index fddbe02f7..e6e6e59c5 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -13,12 +13,15 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, ptrace read, + #aa:dbus own bus=session name=org.pulseaudio.Server + @{exec_path} mr, @{bin}/pactl rix, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0..5e7a75a8d 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,8 +11,10 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 80c3135f5..7aff8bdd2 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -32,6 +32,11 @@ profile wireplumber @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/midi{,server@{int}} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label="@{p_bluetoothd}"), + @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 35c81f0bc..89acacd34 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d2db2612e..84c0fce42 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -30,7 +30,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents + #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 98c94c79e..c9a9d72c9 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -55,6 +55,11 @@ profile evolution-addressbook-factory @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=obexd), + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 0cfd4c420..6d6d6ea85 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -17,8 +17,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 235c0ce9e..7d6d5246d 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,6 @@ profile gnome-calendar @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar - #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory @@ -32,6 +31,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9af2b7d5f..7ce936e52 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,13 +11,13 @@ profile gnome-characters @{exec_path} { include include include + include include include include include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 41b62df09..1c35a8ec1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -14,6 +14,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -42,9 +43,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8887ce797..3f57b3035 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,8 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0f91b7283..b7706ccf4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,7 +25,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -87,7 +86,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7e817f490..71141595b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,6 +9,12 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include + include + include + include + include + include + include include include include @@ -24,6 +30,11 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + #aa:dbus own bus=session name=org.freedesktop.PackageKit + #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a3d039dea..a99d566c0 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6cae2d49b..7f02d8bf4 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,6 +20,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -38,7 +39,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label="@{p_systemd_logind}"), + peer=(name=@{busname}, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus @@ -48,17 +49,12 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-power), + peer=(name=@{busname}, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-power), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + peer=(name=@{busname}, label=gsd-power), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 2fa0b0b1f..379f7b814 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index af5ff2f05..59123f485 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=ServerStarted + member={ServerStarted,PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session @@ -38,6 +38,24 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member={CacheExhausted,ItemNew} + peer=(name=@{busname}, label=avahi-daemon), + dbus receive bus=system path=/Client4/RecordBrowser3 + interface=org.freedesktop.Avahi.RecordBrowser + member=ItemNew + peer=(name=@{busname}, label=avahi-daemon), + @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index abf30bc40..2e21750b9 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,10 +36,20 @@ profile gsd-xsettings @{exec_path} { #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetId + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label="@{p_accounts_daemon}"), + peer=(name=@{busname}, label="@{p_accounts_daemon}"), @{exec_path} mr, @{sh_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index d89d4d6f9..398b2b679 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -12,6 +12,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index fc9b923d8..17bdc5f13 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -31,9 +31,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { unix type=stream peer=(label=gnome-shell), #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell @@ -49,6 +50,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=Print peer=(name=@{busname}, label=nautilus), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6f5a137a3..9a22e3de8 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a6f7e5b63..a0a57d516 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index ce60a26c3..7a05b2254 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/ptyxis-agent profile ptyxis-agent @{exec_path} { include + include + include include - include include + include + include signal send set=hup peer=unconfined, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c89a12a47..33de68147 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg-quick profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 5799ced5b..f761ecf29 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 58f2d88f8..3013d8ae6 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -21,8 +21,15 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.network1.Manager + member=SetLinkDNSEx + peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index bb31d8867..15a49066c 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,19 +9,23 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} { include - include + include include include include include include + include + include include include include include #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 9754aa231..8e9cddd54 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,6 +14,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 700c6d517..b4cfb56e6 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 7891b67e1..ec7ee9c65 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -17,6 +17,7 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 4bed50f13..0a9e6dfc2 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,6 +18,8 @@ profile libreoffice @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index a955a9c6d..f4a61b07b 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -10,9 +10,11 @@ include profile pinentry-gnome3 @{exec_path} { include include + include + include include - signal (receive) set=(int) peer=gpg-agent, + signal receive set=int, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 0eb5eab43..f245e4312 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,10 +21,13 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include + include include include include @@ -36,8 +39,16 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Secret + member=RetrieveSecret + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c49a96621..73a86672f 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -6,7 +6,7 @@ abi , include -@{name} = super{p,P}roductivity +@{name} = super{p,P}roductivity Super?Productivity @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @@ -16,7 +16,16 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include + include include + include + include + include + include + include + include + include + include include network inet stream, From 0fccbef52b1e0d8b713c76d71220ae03bce8fb1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:06:34 +0200 Subject: [PATCH 091/155] feat(profile): improve firefox profiles. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/groups/browsers/firefox | 8 ++++++-- apparmor.d/groups/browsers/firefox-crashhelper | 5 +++++ apparmor.d/profiles-s-z/thunderbird-glxtest | 2 ++ 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 68fb14887..238bf9e8b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,8 +21,9 @@ include include include - include + include include + include include include include @@ -98,6 +99,7 @@ /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, owner @{tmp}/mozilla* rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index bac81c847..f9ba190a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { signal send set=(term, kill) peer=firefox//&keepassxc-proxy, + unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, + unix type=seqpacket peer=(label=firefox-crashhelper), + #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, # Common extensions + @{bin}/browserpass rPx, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, + @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - @{bin}/browserpass rPx, - @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55af7c2e2..8ffdccb67 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -15,11 +15,16 @@ include profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include + unix type=seqpacket peer=(label=firefox), + @{exec_path} mr, owner "@{config_dirs}/firefox/Crash Reports/" rw, owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4dc891361..53fdb1ffd 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -18,6 +18,8 @@ profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + @{exec_path} mr, / r, From f21fecc25a60abd0a5d7921112e226c8745c4ce5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:07:09 +0200 Subject: [PATCH 092/155] feat(profile): update possible path for browserpass. --- apparmor.d/profiles-a-f/browserpass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index ee7ff958c..c896e96f8 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/browserpass +@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native profile browserpass @{exec_path} flags=(attach_disconnected) { include include From 1724040229186e798f0fd443a22e747e9f3d5b93 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:15:51 +0200 Subject: [PATCH 093/155] feat(profile): various ubuntu based improvements. --- .../freedesktop/xdg-desktop-portal-gnome | 2 + apparmor.d/groups/freedesktop/xkbcomp | 1 + .../groups/gnome/evolution-alarm-notify | 2 + apparmor.d/groups/gnome/gnome-system-monitor | 1 + apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 4 +- apparmor.d/groups/gnome/ptyxis | 7 ++- apparmor.d/groups/gnome/ptyxis-agent | 8 +++- apparmor.d/groups/snap/snap | 48 ++++++++++++++++++- apparmor.d/groups/snap/snap-update-ns | 1 + apparmor.d/groups/ssh/ssh | 4 +- apparmor.d/groups/systemd/systemd-coredump | 4 ++ apparmor.d/groups/systemd/systemd-udevd | 2 + apparmor.d/groups/ubuntu/apport | 5 ++ .../groups/ubuntu/software-properties-gtk | 7 ++- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 + apparmor.d/groups/utils/who | 2 + apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-m-r/mkinitramfs | 7 +++ apparmor.d/profiles-m-r/motd | 1 + apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-s-z/swtpm_setup | 6 +-- 22 files changed, 107 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index bed83627a..ca5f62f82 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -65,11 +65,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_share_dirs}/applications/{,**} r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 325d444f5..a99e12b7a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -17,6 +17,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index ce8f799bb..174cb323f 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -37,6 +37,8 @@ profile evolution-alarm-notify @{exec_path} { /etc/timezone r, + owner @{user_share_dirs}/evolution/datetime-formats.ini r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a99d566c0..e4ac12011 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, + /usr/share/byobu/desktop/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 2ad89fe0a..ae225aa65 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,7 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 17bdc5f13..5ad6bb7b5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -72,7 +72,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - @{bin}/tracker3 rPUx, + + @{bin}/* r, + @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a0a57d516..838dc940c 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -13,6 +13,10 @@ profile ptyxis @{exec_path} { include include + unix type=stream peer=(label=ptyxis-agent), + + #aa:dbus own bus=session name=org.gnome.Ptyxis + @{exec_path} mr, @{lib}/ptyxis-agent Px, @@ -25,11 +29,12 @@ profile ptyxis @{exec_path} { owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner /tmp/#@{int} w, + owner /tmp/#@{int} rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 7a05b2254..cf497e39f 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -25,7 +25,9 @@ profile ptyxis-agent @{exec_path} { @{bin}/podman Px, @{bin}/systemd-run Cx -> shell, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_share_dirs}/containers/ w, + owner @{user_share_dirs}/containers/storage/ w, + owner @{user_share_dirs}/containers/storage/overlay-containers/ w, @{PROC}/@{pid}/cmdline r, @@ -37,9 +39,13 @@ profile ptyxis-agent @{exec_path} { signal send, + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + @{bin}/systemd-run mr, @{bin}/@{shells} Ux, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 564fd9151..927d7a3da 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -52,11 +52,14 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} mr, @{bin}/mount rix, @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/xdg-settings rCx -> xdg-settings, @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @@ -98,7 +101,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, - owner @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, @@ -125,6 +128,49 @@ profile snap @{exec_path} flags=(attach_disconnected) { include if exists } + profile xdg-settings { + include + include + + @{bin}/xdg-settings mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, + + @{bin}/xdg-mime Px, + + include if exists + } + + profile run { + include + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 5d7c18d59..157651ac3 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -61,6 +61,7 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 03236196c..bf71a8463 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -45,8 +45,8 @@ profile ssh @{exec_path} { audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/ r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 54f366c2f..db1854f1f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -37,6 +37,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /opt/** r, /usr/share/*/** r, @{user_lib_dirs}/** r, + /snap/*/@{int}/opt/** r, + /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, @@ -45,6 +47,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /var/lib/systemd/coredump/{,**} rwl, + owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, + @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9c993e0d5..62bada2a8 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -35,6 +35,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + unix type=stream addr=@@{udbus}/bus/udevadm/, + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index fbc433c05..2fa7bb92a 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -43,6 +43,11 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.md5sums r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + + /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 15a49066c..440ef4117 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} { +profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include @@ -62,6 +62,10 @@ profile software-properties-gtk @{exec_path} { owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/apt.conf rw, + /dev/shm/ r, + owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{rand8} rw, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @{sys}/devices/ r, @@ -75,6 +79,7 @@ profile software-properties-gtk @{exec_path} { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 34b697732..e8d847e92 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -52,6 +52,8 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, + owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index fd49b2bec..d951bfe03 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -20,6 +20,8 @@ profile who @{exec_path} { @{run}/systemd/sessions/* r, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 5df66e6bd..2d781a734 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -42,6 +42,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + owner /var/lib/fwupd/ w, owner /var/lib/fwupd/.cache/ w, @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 42489117e..c6caf364f 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -174,6 +174,7 @@ profile mkinitramfs @{exec_path} { /usr/share/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, include if exists @@ -189,6 +190,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + @{sys}/module/compression r, include if exists diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 6cdb0fbf8..de742b2c9 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -10,6 +10,7 @@ include profile motd @{exec_path} { include include + include capability net_admin, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index 16ccfd9da..d6426f717 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -14,6 +14,7 @@ profile on-ac-power @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 08ee1532e..5795ddfcc 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/swtpm_setup.certs.*/ w, - owner @{tmp}/swtpm_setup.certs.*/*.cert rw, - owner @{tmp}/.swtpm_setup.pidfile* rw, + owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, + owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, + owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, include if exists } From 9b7c1acb1bbad1465159935a0274991637d069c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:08 +0200 Subject: [PATCH 094/155] build: cosmetic on build task name. --- pkg/prebuild/builder/abi.go | 2 +- pkg/prebuild/builder/attach.go | 2 +- pkg/prebuild/builder/complain.go | 2 +- pkg/prebuild/builder/enforce.go | 2 +- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/builder/hotfix.go | 2 +- pkg/prebuild/builder/userspace.go | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 492e3cc31..b0052d13f 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ Keyword: "abi3", - Msg: "Convert all profiles from abi 4.0 to abi 3.0", + Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index aeafcbf7d..d27908129 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -18,7 +18,7 @@ func init() { RegisterBuilder(&ReAttach{ Base: prebuild.Base{ Keyword: "attach", - Msg: "Re-attach disconnected path", + Msg: "Feat: re-attach disconnected path", }, }) } diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index dbd9b3478..8ee205564 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -25,7 +25,7 @@ func init() { RegisterBuilder(&Complain{ Base: prebuild.Base{ Keyword: "complain", - Msg: "Set complain flag on all profiles", + Msg: "Build: set complain flag on all profiles", }, }) } diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index a7ce90a7a..3d3d218c6 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -19,7 +19,7 @@ func init() { RegisterBuilder(&Enforce{ Base: prebuild.Base{ Keyword: "enforce", - Msg: "All profiles have been enforced", + Msg: "Build: all profiles have been enforced", }, }) } diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 8f7fb4202..12dab15cd 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -23,7 +23,7 @@ func init() { RegisterBuilder(&FullSystemPolicy{ Base: prebuild.Base{ Keyword: "fsp", - Msg: "Prevent unconfined transitions in profile rules", + Msg: "Feat: prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go index f7e6143b1..be8750f26 100644 --- a/pkg/prebuild/builder/hotfix.go +++ b/pkg/prebuild/builder/hotfix.go @@ -26,7 +26,7 @@ func init() { RegisterBuilder(&Hotfix{ Base: prebuild.Base{ Keyword: "hotfix", - Msg: "Temporary fix for #74, #80 & #235", + Msg: "Fix: temporary solution for #74, #80 & #235", }, }) } diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 37bb3a978..70dff8ec9 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&Userspace{ Base: prebuild.Base{ Keyword: "userspace", - Msg: "Resolve variable in profile attachments", + Msg: "Fix: resolve variable in profile attachments", }, }) } From bfcf9f846cd5eee8500413ae785d389266070657 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:35 +0200 Subject: [PATCH 095/155] build: support for unconfined flag. --- pkg/prebuild/builder/complain.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index 8ee205564..0d6a48f37 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -38,6 +38,9 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } + if slices.Contains(flags, "unconfined") { + return profile, nil + } } flags = append(flags, "complain") strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" From 3a17dd33106a8e83d96c50e0522a7373967a6a0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:08:41 +0200 Subject: [PATCH 096/155] feat(aa): add support for advanced network rule. --- pkg/aa/network.go | 68 +++++++++++++++++++++----------- pkg/aa/rule_test.go | 11 ++++++ pkg/aa/templates/rule/network.j2 | 16 ++++++++ 3 files changed, 73 insertions(+), 22 deletions(-) diff --git a/pkg/aa/network.go b/pkg/aa/network.go index d5a2af70b..15dd4385e 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,34 +33,54 @@ func init() { } } -type AddressExpr struct { - Source string - Destination string - Port string +type LocalAddress struct { + IP string + Port string } -func newAddressExprFromLog(log map[string]string) AddressExpr { - return AddressExpr{ - Source: log["laddr"], - Destination: log["faddr"], - Port: log["lport"], +func newLocalAddressFromLog(log map[string]string) LocalAddress { + return LocalAddress{ + IP: log["laddr"], + Port: log["lport"], } } -func (r AddressExpr) Compare(other AddressExpr) int { - if res := compare(r.Source, other.Source); res != 0 { - return res - } - if res := compare(r.Destination, other.Destination); res != 0 { +func (r LocalAddress) Compare(other LocalAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } return compare(r.Port, other.Port) } +type PeerAddress struct { + IP string + Port string + Src string +} + +func newPeerAddressFromLog(log map[string]string) PeerAddress { + return PeerAddress{ + IP: log["faddr"], + Port: log["fport"], + Src: log["saddr"], + } +} + +func (r PeerAddress) Compare(other PeerAddress) int { + if res := compare(r.IP, other.IP); res != 0 { + return res + } + if res := compare(r.Port, other.Port); res != 0 { + return res + } + return compare(r.Src, other.Src) +} + type Network struct { Base Qualifier - AddressExpr + LocalAddress + PeerAddress Domain string Type string Protocol string @@ -90,12 +110,13 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - Base: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - AddressExpr: newAddressExprFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + Base: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + LocalAddress: newLocalAddressFromLog(log), + PeerAddress: newPeerAddressFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } @@ -135,7 +156,10 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { + if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { + return res + } + if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index ee50532a9..ed6e7043d 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -216,6 +216,17 @@ var ( wMerge: false, wString: "network netlink raw,", }, + { + name: "network3", + fromLog: newNetworkFromLog, + log: network3Log, + rule: network3, + wValidErr: true, + other: network1, + wCompare: -7, + wMerge: false, + wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", + }, { name: "mount", fromLog: newMountFromLog, diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 6f2503a8b..3694442be 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,6 +15,22 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} + {{- with .LocalAddress.IP -}} + {{ " ip=" }}{{ . }} + {{- end -}} + {{- with .LocalAddress.Port -}} + {{ " port=" }}{{ . }} + {{- end -}} + {{- if and .PeerAddress.IP .PeerAddress.Port -}} + {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} + {{- else -}} + {{- with .PeerAddress.IP -}} + {{ " peer=(ip=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerAddress.Port -}} + {{ " peer=(port=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file From 43f30333c6edd648c71789d1755a27b2c4381ac9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:14:52 +0200 Subject: [PATCH 097/155] feat(aa): add support for prompt and priority rule. --- pkg/aa/base.go | 6 +++++- pkg/aa/parse.go | 8 +++++++- pkg/aa/templates/rule/qualifier.j2 | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index eaf69f71c..a712a5899 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -99,6 +99,7 @@ func (r Base) addLine(other Rule) bool { } type Qualifier struct { + Priority string Audit bool AccessType string } @@ -109,6 +110,9 @@ func newQualifierFromLog(log map[string]string) Qualifier { } func (r Qualifier) Compare(o Qualifier) int { + if r := compare(r.Priority, o.Priority); r != 0 { + return r + } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -116,7 +120,7 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Audit == o.Audit && r.AccessType == o.AccessType + return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType } func (r Qualifier) getLenAudit() int { diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index e01696d74..3b737abfd 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,6 +15,8 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" + tokPROMPT = "prompt" + tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -524,7 +526,11 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokALLOW, tokDENY: + case tokPRIORITY: + q.Priority = rule.GetValues(tokPRIORITY).GetString() + rule = rule[1:] + goto qualifier + case tokALLOW, tokDENY, tokPROMPT: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index a0ff554ec..69181051a 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,6 +3,9 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} + {{- with .Priority -}} + {{- "priority=" -}}{{ . }}{{ " " }} + {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} From 7d1f8852098deaaabbc29697d0111a44fb83e557 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:15:21 +0200 Subject: [PATCH 098/155] test(aa): add testdata for network rule. --- pkg/aa/data_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index b96fd865f..28aa703d6 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -65,8 +65,34 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } + network3Log = map[string]string{ + "apparmor": "ALLOWED", + "class": "net", + "operation": "sendmsg", + "info": "failed af match", + "error": "-13", + "profile": "unattended-upgrade", + "comm": "unattended-upgr", + "laddr": "127.0.0.1", + "lport": "57007", + "faddr": "127.0.0.53", + "saddr": "127.0.0.1", + "src": "57007", + "fport": "53", + "sock_type": "dgram", + "protocol": "17", + "requested": "send", + "denied": "send", + } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} + network3 = &Network{ + Base: Base{Comment: " failed af match"}, + LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, + PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, + Type: "dgram", + Protocol: "17", + } // Mount mount1Log = map[string]string{ From 157c365b261a8600404ee7c917b02d194725a6c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:17:10 +0200 Subject: [PATCH 099/155] fix(aa): ensure tokenization helper cleanup data. --- pkg/aa/util.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 5a7049d69..523eb99fe 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -148,9 +148,10 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n") + token = strings.Trim(token, "()\n ") if strings.ContainsAny(token, ", ") { var sep string + token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," From 107820975ded704279b68a40909a980c222a3da1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:18:41 +0200 Subject: [PATCH 100/155] feat(aa): add file kind. --- pkg/aa/apparmor.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 6119a0c91..94e232c81 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,12 +5,39 @@ package aa import ( + "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" ) // MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") +// FileKind represents an AppArmor file kind. +type FileKind uint8 + +const ( + ProfileKind FileKind = iota + AbstractionKind + TunableKind +) + +func KindFromPath(file *paths.Path) FileKind { + dirname := file.Parent().String() + switch { + case strings.Contains(dirname, "abstractions"): + return AbstractionKind + case strings.Contains(dirname, "tunables"): + return TunableKind + case strings.Contains(dirname, "local"): + return AbstractionKind + case strings.Contains(dirname, "mappings"): + return AbstractionKind + default: + return ProfileKind + } +} + // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile From 7aae9f0dd7a14bfd37246992f1c11a4c96bd8e21 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:30:54 +0200 Subject: [PATCH 101/155] build: add stacked-dbus builder Resolve peer label variable in dbus rules. It create a full dbus rule by item in a variable when it is used a peer label. For ubuntu with apparmor 4.1+ See https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 --- pkg/prebuild/builder/stacked-dbus.go | 105 +++++++++++++++++++++++++++ pkg/prebuild/cli/cli.go | 18 +++-- 2 files changed, 116 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/stacked-dbus.go diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go new file mode 100644 index 000000000..d572e9d31 --- /dev/null +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + resolve = map[string][]string{ + `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, + `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, + } +) + +// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +type StackedDbus struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&StackedDbus{ + Base: prebuild.Base{ + Keyword: "stacked-dbus", + Msg: "Fix: resolve peer label variable in dbus rules", + }, + }) +} + +func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { + var raw string + paragraphs := []string{} + rulesByParagraph := aa.ParaRules{} + + switch kind { + case aa.ProfileKind: + f := &aa.AppArmorProfileFile{} + nb, err := f.Parse(profile) + if err != nil { + return nil, nil, err + } + lines := strings.Split(profile, "\n") + raw = strings.Join(lines[nb:], "\n") + + case aa.AbstractionKind, aa.TunableKind: + raw = profile + } + raw = profile + + r, par, err := aa.ParseRules(raw) + if err != nil { + return nil, nil, err + } + rulesByParagraph = append(rulesByParagraph, r...) + paragraphs = append(paragraphs, par...) + return rulesByParagraph, paragraphs, nil +} + +func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { + kind := aa.KindFromPath(opt.File) + if kind == aa.TunableKind { + return profile, nil + } + + toResolve := []string{} + for k := range resolve { + toResolve = append(toResolve, k) + } + + rulesByParagraph, paragraphs, err := parse(kind, profile) // + if err != nil { + return "", err + } + for idx, rules := range rulesByParagraph { + changed := false + newRules := aa.Rules{} + for _, rule := range rules { + switch rule := rule.(type) { + case *aa.Dbus: + if slices.Contains(toResolve, rule.PeerLabel) { + changed = true + for _, label := range resolve[rule.PeerLabel] { + newRule := *rule + newRule.PeerLabel = label + newRules = append(newRules, &newRule) + } + } else { + newRules = append(newRules, rule) + } + default: + newRules = append(newRules, rule) + } + } + if changed { + profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") + } + } + return profile, nil +} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index ab221e485..8abfb4323 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,16 +108,20 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak - // that fully prevent profiles compilation with re-attached paths. - // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 - if prebuild.Distribution != "ubuntu" { - builder.Register("attach") - prepare.Register("attach") - } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + // Re-attach disconnected path + if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent + // profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + + // Use stacked-dbus builder to resolve dbus rules + builder.Register("stacked-dbus") + + } else { builder.Register("attach") prepare.Register("attach") } + default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } From 2fcf4c50119de50de5498f30ee7a7a2aff9b5cd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:38:15 +0200 Subject: [PATCH 102/155] ci(github): remove test now enabled by default. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9f2addf88..90b709a31 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,11 +47,6 @@ jobs: if [[ ${{ matrix.mode }} == full-system-policy ]]; then sed -e "s/just complain/just fsp-complain/" -i debian/rules fi - if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then - # Test with Re-attach disconnected path - sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go - sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system - fi bash dists/build.sh dpkg - name: Install apparmor.d From bc270954d49993374b14bc2af6b89bb37d7d45ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:53:12 +0200 Subject: [PATCH 103/155] feat(abs): add missing bus abs. --- .../bus/org.gnome.SettingsDaemon.MediaKeys | 23 ++++++++++++++++ .../bus/org.gnome.keyring.internal.Prompter | 26 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys create mode 100644 apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 000000000..3a461a85a --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 000000000..1c3e8f760 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor From 068d205e13b333f077371bd4af37637902f29e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:02:12 +0200 Subject: [PATCH 104/155] fix(prebuild): removce ineffectual assignment. --- pkg/prebuild/builder/stacked-dbus.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index d572e9d31..33af33df7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -51,7 +51,6 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { case aa.AbstractionKind, aa.TunableKind: raw = profile } - raw = profile r, par, err := aa.ParseRules(raw) if err != nil { From 7ecc84d3b0e13f5d346a906dceda14321fddae1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:04:15 +0200 Subject: [PATCH 105/155] feat(tunable): add pp tunable, improve dbus tunables. --- apparmor.d/tunables/multiarch.d/profiles | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 6868ae87a..d4fefb0b0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,8 +16,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,dbus-system//&unconfined} -@{p_dbus_session}={dbus-session,dbus-session//&unconfined} +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @@ -68,5 +68,12 @@ @{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor From 1d51b1436da8c64232cebe31317bdbebc870bded Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:08:52 +0200 Subject: [PATCH 106/155] Small documentation improvements --- docs/development/workflow.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 786d77c93..7cc7c5616 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -36,7 +36,7 @@ title: Workflow Here is the bare minimum for the program `foo`: ``` sh # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 You +# Copyright (C) 2025 You # SPDX-License-Identifier: GPL-2.0-only abi , @@ -130,7 +130,7 @@ For this individual profile installation to work, the full package needs to be i To discover the access needed by a program, you can use the following tools: -1. Star the program in *complain* mode, let it initialize itself, then close it. +1. Start the program in *complain* mode, let it initialize itself, then close it. 1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - Convert the logs to AppArmor rules. From 98034784e92400fd2241094f5ca8d85104f8b2f7 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:02:10 +0200 Subject: [PATCH 107/155] Add cider profile --- apparmor.d/profiles-a-f/cider | 61 +++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cider diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 000000000..f534a0034 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,61 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider + +@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rpx, + + @{bin}/xdg-settings rpx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + /usr/share/xkeyboard-config-2/** r, + + include if exists +} + +# vim:syntax=apparmor From f5970fcc6741419ea96ef5c9c36a321da532e127 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:12:18 +0200 Subject: [PATCH 108/155] Remove tabs --- apparmor.d/profiles-a-f/cider | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index f534a0034..71b27bce5 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -42,11 +42,11 @@ profile cider @{exec_path} { owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, From eedbc2223c1bc84e2e12deb2fd1e041422c5994d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:52:00 +0200 Subject: [PATCH 109/155] cider-review-fixes --- apparmor.d/profiles-a-f/cider | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 71b27bce5..2b203e989 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -6,10 +6,13 @@ abi , include +@{name} = {C,c}ider sh.cider.genten @{domain} = sh.cider.genten org.chromium.Chromium @{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} -@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include include @@ -18,8 +21,9 @@ profile cider @{exec_path} { include include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,15 +36,13 @@ profile cider @{exec_path} { @{lib_dirs}/ r, @{lib_dirs}/** r, @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rpx, + @{lib_dirs}/chrome-sandbox rPx, - @{bin}/xdg-settings rpx, + @{bin}/xdg-settings rPx, owner @{user_config_dirs}/sh.cider.genten/ rw, owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, @{PROC}/ r, @{PROC}/@{pid}/stat r, @@ -53,8 +55,6 @@ profile cider @{exec_path} { owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/statm r, - /usr/share/xkeyboard-config-2/** r, - include if exists } From aec7d41a25647f9da3f0b13ddbe53d048bec3ee2 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:03:31 +0200 Subject: [PATCH 110/155] add profiles for wayland screen capture tools --- apparmor.d/profiles-g-l/grim | 21 +++++++++++++++++++++ apparmor.d/profiles-s-z/slurp | 23 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-g-l/grim create mode 100644 apparmor.d/profiles-s-z/slurp diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 000000000..0ded3d315 --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + + @{exec_path} mr, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 000000000..8d5bcc217 --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + +# often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 06f1c0538e9bca4ac1af6862c4553931b33ad108 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:15:04 +0200 Subject: [PATCH 111/155] remove whitespace --- apparmor.d/profiles-s-z/slurp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index 8d5bcc217..c4250275e 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,12 +9,12 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include - + @{exec_path} mr, /usr/share/icons/{,**} r, -# often used in combination with grim screen cature tool + # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, include if exists From 9a302147bd3b2d6f02d715bcaa0e645f1680295b Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:26:43 +0200 Subject: [PATCH 112/155] fix typo --- apparmor.d/profiles-g-l/grim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 0ded3d315..9f18db07b 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include - include + include @{exec_path} mr, From ec2c0b1c8e34273069a86caf5b7af3444d4a8e7c Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 24 Aug 2025 17:32:04 +0200 Subject: [PATCH 113/155] add default path for plain use --- apparmor.d/profiles-g-l/grim | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9f18db07b..9e40a8aca 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -13,6 +13,10 @@ profile grim @{exec_path} { @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + + owner @{HOME}/@{int8}_**_grim.png w, + owner /dev/shm/grim-@{rand6} rw, include if exists From 749ae318fca8bc9a8bed97bedeb883a326d95c13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:35:35 +0200 Subject: [PATCH 114/155] feat(profile): aa uses word8 as bug files. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index 1743fd9d0..1f8368045 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 7cb64af80..07706d052 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -45,7 +45,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 68729b7fe..7308a5ef0 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, From cf96e7b1d0d37d050fba5a0e758190dc2059443f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:39:28 +0200 Subject: [PATCH 115/155] feat(profile): smal snap improvements. --- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/snap/snap-update-ns | 5 +++++ apparmor.d/groups/snap/snapd | 7 ++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b7706ccf4..b34d18c00 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -294,7 +294,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 157651ac3..98ee0e5e7 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -40,11 +40,16 @@ profile snap-update-ns @{exec_path} { / r, /tmp/ r, + @{lib}/ r, /usr/ r, /usr/local/ r, /usr/local/share/ r, /usr/local/share/doc/ rw, /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 7e2c288b6..06de56063 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -99,7 +99,8 @@ profile snapd @{exec_path} { /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy r, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -147,6 +148,7 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, @@ -227,6 +229,9 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, + @{bin}/tar ix, + + owner @{HOME}/snap/*/common/.cache/{,**} r, include if exists } From 81d020173d4f0336a95cc6562c161336685abb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:09:09 +0200 Subject: [PATCH 116/155] feat(profile): general update. --- apparmor.d/groups/bus/dbus-accessibility | 6 +++--- apparmor.d/groups/children/child-open-strict | 2 ++ apparmor.d/groups/gnome/gnome-software | 7 ++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/papers | 4 +++- apparmor.d/groups/gpg/gpg | 3 ++- apparmor.d/groups/pacman/paccache | 3 +++ apparmor.d/groups/pacman/pacman-hook-code | 1 + .../systemd-generator-user-autostart | 3 +-- apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/usb/lsusb | 1 + apparmor.d/groups/utils/dmesg | 1 + apparmor.d/groups/utils/lsblk | 1 + apparmor.d/groups/virt/cockpit-bridge | 5 +++++ apparmor.d/groups/virt/cockpit-session | 4 +++- apparmor.d/groups/virt/libvirt-dbus | 5 +++++ apparmor.d/groups/virt/libvirtd | 7 +++++++ apparmor.d/profiles-a-f/borg | 1 + apparmor.d/profiles-a-f/btop | 2 +- apparmor.d/profiles-a-f/console-setup | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 6 +++--- apparmor.d/profiles-g-l/gitstatusd | 4 ++-- apparmor.d/profiles-g-l/homebank | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-g-l/linux-check-removal | 2 ++ apparmor.d/profiles-g-l/lsb-release | 14 ++++++++++---- apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mdadm | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 1 + apparmor.d/profiles-s-z/spotify | 4 ++++ apparmor.d/profiles-s-z/syncthing | 5 +---- apparmor.d/profiles-s-z/tomb | 4 +++- apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/virt-manager | 1 - apparmor.d/profiles-s-z/wemeet | 2 +- apparmor.d/profiles-s-z/which | 1 + 40 files changed, 89 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index f876d1210..a8c13b3fd 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include include network inet dgram, @@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 7faf52185..4296f03af 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { @{browsers_path} Px, @{file_explorers_path} Px, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71141595b..f3845daef 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -33,7 +33,12 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 398b2b679..cabcca062 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=loupe//bwrap, + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" dbus send bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad6bb7b5..d8e7c3341 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 9a22e3de8..0318c7265 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/papers -profile papers @{exec_path} { +profile papers @{exec_path} flags=(attach_disconnected) { include include include @@ -16,6 +16,8 @@ profile papers @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index b65823520..40c23b660 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,7 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, @@ -39,6 +39,7 @@ profile gpg @{exec_path} { /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8331951e7..d68c0b832 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index ee23781f4..3e916efe3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} { @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index 8e3ebb6b3..ff4c74664 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -10,14 +10,13 @@ include profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, @{exec_path} mr, - @{system_share_dirs}/applications/*.desktop r, - @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index d7c61e336..a55bf752d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 62bada2a8..640e48f3f 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, @{att}/@{run}/systemd/notify w, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 440ef4117..af91c7eaa 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rw, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index b5a24940d..a10659292 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -14,6 +14,7 @@ profile lsusb @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 14ace0dea..2976d1316 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 7559e4e48..6fc1d5bb2 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index bf3d48204..d8c71803d 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} { include include include + include + include include + include include include @@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 3fbefadb7..ba51fc8a5 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,6 +10,7 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index f3bbaf019..971cdf55e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{sbin}/libvirtd rPx, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 44d6962f5..f10da1798 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 6d2683ade..544be3be0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -33,6 +33,7 @@ profile borg @{exec_path} { @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 4910629ce..bac8aea75 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -48,7 +48,7 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 7a11e407f..aa0a56648 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -13,7 +13,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/mkdir rix, @{run}/console-setup/ rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 87c2bbaba..2e7723995 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -13,16 +13,16 @@ include @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 579536674..aabde9cef 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} { include signal receive set=term peer=*//shell, - signal receive set=term peer=vscode, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index cb459919f..7fbe74040 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} { +profile homebank @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 2370271ec..47cbb22a2 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 0a9e6dfc2..dfb9361f3 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -27,6 +27,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -107,6 +108,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 04d2f0330..f2895299f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} { @{bin}/stty rix, + /etc/shadow r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index d2d52d362..5214632dc 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { #aa:only apt @{bin}/dpkg-query px, - /etc/ r, - /etc/*-release r, - /etc/lsb-release r, - /etc/lsb-release.d/{,*} r, + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index cae5c1c3d..136536764 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -68,6 +68,7 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 15adcb9e6..4cc5fc9fb 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} { +profile mdadm @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ca9680aea..a9bd819e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f245e4312..ed1ccfe1c 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -57,6 +57,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, @@ -70,6 +72,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 83e1b2f45..d504b0c15 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -11,6 +11,7 @@ include profile syncthing @{exec_path} { include include + include include include include @@ -26,10 +27,6 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - @{HOME}/ r, @{HOME}/** rwk, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 9b0912bd9..df4258b8c 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,6 +21,7 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @@ -43,11 +44,11 @@ profile tomb @{exec_path} { @{bin}/findmnt rix, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -64,6 +65,7 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, + @{sbin}/losetup rix, @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 76ec27b68..9c686b19d 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -16,6 +16,7 @@ profile udev-fido_id @{exec_path} { /etc/udev/udev.conf r, @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index aed85abe3..8a1b5f355 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -51,7 +51,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 3606533d7..0b83e44c8 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -13,10 +13,10 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index df049741f..c4de427ff 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists From 4db65834a402444b18a10fc7e43b879dc79f5ff5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:15:42 +0200 Subject: [PATCH 117/155] feat(abs): glibc: restrict auxv maps and statux to owner. --- apparmor.d/abstractions/glibc | 12 +++++++++--- apparmor.d/groups/apt/apt-overlay | 1 - apparmor.d/groups/polkit/polkitd | 3 ++- apparmor.d/groups/procps/ps | 1 + apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-m-r/mdevctl | 2 -- apparmor.d/profiles-s-z/syncoid | 2 -- 8 files changed, 14 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index aa6e14416..8536470bd 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -22,9 +22,15 @@ @{PROC}/stat r, # Glibc's *printf protections read the maps file - @{PROC}/@{pid}/auxv r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, # Glibc statvfs @{PROC}/filesystems r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 4ba9e57d7..7f59635eb 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index c2de7f8b6..fa00311cd 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 1d9ae50cb..7663cbf5d 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index ad3d96990..2765d8f10 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index f10da1798..2b0530ef5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -284,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 906dcf512..408947c83 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -19,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index e275fb764..fc30c5fd6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - @{PROC}/@{pids}/maps r, - include if exists } From 544204e511ce6938fb2da2b9f01d28fd3ce34338 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:22:22 +0200 Subject: [PATCH 118/155] feat(abs): add the user-dirs abstraction. --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/user-dirs | 14 ++++++++++++++ .../groups/freedesktop/xdg-user-dirs-gtk-update | 2 +- apparmor.d/groups/freedesktop/xdg-user-dirs-update | 4 +--- apparmor.d/groups/systemd/systemd-path | 3 +-- apparmor.d/profiles-g-l/grim | 3 +-- apparmor.d/profiles-s-z/spice-vdagent | 8 ++++---- 9 files changed, 25 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/user-dirs diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 4a32a1aa7..1bb4c20ea 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -17,6 +17,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 445c62e6b..72d09126e 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5fbdd7869..02a0bc9c5 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 000000000..189f8eb38 --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index b2ae65450..cf488af63 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -14,13 +14,13 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include + include @{exec_path} mr, @{bin}/xdg-user-dirs-update Px, owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{tmp}/dirs-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 7177703a9..09c66d6ac 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,13 +9,11 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 747527776..0d061d845 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9e40a8aca..5717837ec 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include + include include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - owner @{HOME}/@{int8}_**_grim.png w, owner /dev/shm/grim-@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c73f5f678..158ea6a7f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,10 +19,12 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -38,7 +39,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, From e50e87bd618543d9a638b4512bf8d72b82eb9524 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:14 +0200 Subject: [PATCH 119/155] feat(abs): update base additions. --- apparmor.d/abstractions/base.d/complete | 28 +++++++++++++------------ 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ad3945eb9..d89688b70 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,20 +8,20 @@ signal receive peer=@{p_systemd_user}, # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=pkill, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(hup term) peer=login, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, - ptrace (readby) peer=@{p_systemd_coredump}, + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,4 +30,6 @@ @{PROC}/sys/kernel/core_pattern r, + /apparmor/.null rw, + # vim:syntax=apparmor From 5faca8461df97d62d065ca8a7430405621d39e54 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:59 +0200 Subject: [PATCH 120/155] feat(abs): remove user-dirs from recently-used abs. --- apparmor.d/abstractions/recently-used | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used index d3a7ec289..66a80867b 100644 --- a/apparmor.d/abstractions/recently-used +++ b/apparmor.d/abstractions/recently-used @@ -14,8 +14,6 @@ owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, owner @{user_share_dirs}/recently-used.xbel.lock rwk, - owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? - include if exists # vim:syntax=apparmor From c9813dc34f241e392d055234d754b76a0e803102 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:26:17 +0200 Subject: [PATCH 121/155] feat(abs): improve dbus rules in open & common gnome abs. --- apparmor.d/abstractions/app/open | 3 ++- apparmor.d/abstractions/common/gnome | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 243d18261..3d91de235 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,6 +7,8 @@ abi , + include + include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -30,7 +32,6 @@ include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 056f6581b..f0dd20f47 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -9,6 +9,8 @@ include include include + include + include include include include From 61d8cee932d7671302f786f8f7f2b84d0d057bdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:27:58 +0200 Subject: [PATCH 122/155] feat(profile): ssh: cleanup. --- apparmor.d/groups/ssh/ssh-agent | 1 + apparmor.d/groups/ssh/ssh-keygen | 3 ++- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshfs | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index f6732b1cf..9fc2900b4 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index b55824e58..1b6dd5e98 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -18,7 +18,8 @@ profile ssh-keygen @{exec_path} { /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 63f2c1370..40cf0bca2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -102,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 12e7d8930..ee6a2f903 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{MOUNTS}/*/, mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, From 5d1ef4087741d3acf84fe50b26c5669ade291f10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:55:42 +0200 Subject: [PATCH 123/155] feat(profile): add some missing proc access. Due to recent changes in base-strict. --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/gnome/gdm-generate-config | 7 ++++--- apparmor.d/groups/procps/htop | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 0ec14bea0..f563712ca 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,6 +19,7 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 9d910cdd2..6e67866f5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,9 +42,10 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/stat r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index d59fde5e5..4937f6875 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -105,6 +105,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, From be0d481068929ddd1787bbf8cb16a9cf4619deed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:56:41 +0200 Subject: [PATCH 124/155] feat(profile): remove common/systemd from systemd-detect-virt. --- apparmor.d/groups/systemd/systemd-detect-virt | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 01e49025f..9b78b7c04 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,11 +11,10 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @@ -32,7 +31,14 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, + @{sys}/hypervisor/type r, + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, @{PROC}/xen/capabilities r, /dev/cpu/@{int}/msr r, From 2bb42bfca21bf7b372fccdeb763c33ef0f8875b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:14:12 +0200 Subject: [PATCH 125/155] build: add support for apparmor 5.0 (current master branch) --- dists/overwrite | 3 +++ pkg/prebuild/prepare/configure.go | 35 ++++++++++++++++++++++++------- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index c8769ba54..16f8f4a19 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -38,3 +38,6 @@ openvpn remmina transmission wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index a6e954485..cf16f5b8e 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -23,6 +23,15 @@ func init() { }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} @@ -57,19 +66,31 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version == 4.1 { - // Remove files upstreamed in 4.1 + if prebuild.Version >= 4.1 { remove := []string{ + // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", "abstractions/devices-usb", "abstractions/nameservice-strict", "tunables/multiarch.d/base", - "wg", // Upstream version is identical + + // Direct upstream contributed profiles, similar to ours + "wg", } - for _, name := range remove { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return res, err - } + if err := removeFiles(remove); err != nil { + return res, err + } + } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err } } return res, nil From 57251820e1bafa211deef302d907a21213a1b523 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:48:01 +0200 Subject: [PATCH 126/155] build: improve support for aa 5.0 --- dists/overwrite | 5 +++-- pkg/prebuild/prepare/configure.go | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 16f8f4a19..70ee1cc41 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -6,6 +6,7 @@ brave chrome chromium +cockpit-desktop element-desktop epiphany firefox @@ -29,8 +30,8 @@ unix-chkpwd # Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) fusermount3 lsblk lsusb diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index cf16f5b8e..9ca3b14d3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,6 +6,7 @@ package prepare import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -92,6 +93,15 @@ func (p Configure) Apply() ([]string, error) { if err := removeFiles(remove); err != nil { return res, err } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) } return res, nil } From a3fde24b3deb9ecbd0ddebdf920315b24af46182 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 23:58:39 +0200 Subject: [PATCH 127/155] feat: add aliases for all coreutils. --- apparmor.d/tunables/alias.d/coreutils | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 apparmor.d/tunables/alias.d/coreutils diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 000000000..9fed4fefc --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, From 2bae05d30940d14ad09a86c5b666257e43c17058 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:05:19 +0200 Subject: [PATCH 128/155] feat(abs): add varianttable to apt common. --- apparmor.d/abstractions/common/apt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 5dd8b26bc..a267fd909 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -7,6 +7,7 @@ /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, From 1122f28cacf84e4cfea8796d73d90a0a37b7fb6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:46:40 +0200 Subject: [PATCH 129/155] tests(packer): cleanup package install process. - apparmor restart is handled by the package - it is a dev version, so it could fail. --- tests/packer/init.sh | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index bf75c0e1e..630da6b0f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -27,27 +27,21 @@ main() { case "$DISTRIBUTION" in arch) rm -f $SRC/*.sig # Ignore signature files - pacman --noconfirm -U $SRC/*.pkg.tar.zst + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; debian | ubuntu) - apt install -y apparmor-profiles + apt-get install -y apparmor-profiles dpkg -i $SRC/*.deb || true ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm || true ;; esac - - verb="start" - rm -rf /var/cache/apparmor/* || true - if systemctl is-active -q apparmor; then - verb="reload" - fi - systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" From 94f01c68f696fd858ec65195113cad95f8d514fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:48:11 +0200 Subject: [PATCH 130/155] feat(tunable): update home dir for gdm & add desktop_state_dirs. --- apparmor.d/tunables/multiarch.d/system-users | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3..73a3267a0 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -31,5 +33,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor From b5020eac891099c023aad7e3b51375fbe663e0ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:22:01 +0200 Subject: [PATCH 131/155] tests(packer): remobe sudo alias --- tests/packer/src/.bash_aliases | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80..2580556fd 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' From 0ada92da328c830fddf1550352c02405d89f9ef8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:35:04 +0200 Subject: [PATCH 132/155] refractor(abs): gsettings -> gschemas. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/{gsettings => gschemas} | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/abstractions/{gsettings => gschemas} (88%) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 1bb4c20ea..3bfbcc887 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -11,7 +11,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 72d09126e..4d2d390ee 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gschemas similarity index 88% rename from apparmor.d/abstractions/gsettings rename to apparmor.d/abstractions/gschemas index 4d22f080b..21a4d860c 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gschemas @@ -9,6 +9,6 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 02a0bc9c5..a06a29da4 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index a8c13b3fd..c254fcd2d 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -15,7 +15,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include network inet dgram, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index cf497e39f..982afd90d 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -13,7 +13,7 @@ profile ptyxis-agent @{exec_path} { include include include - include + include include signal send set=hup peer=unconfined, From d6ddbf104cdfc07615b8f32c306d9db766a9ce77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:56:05 +0200 Subject: [PATCH 133/155] refractor(profile): always use the gschemas abstraction. --- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/freedesktop/geoclue | 5 ++--- apparmor.d/groups/gnome/chrome-gnome-shell | 3 +-- apparmor.d/groups/gnome/deja-dup-monitor | 3 +-- apparmor.d/groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 3 +-- apparmor.d/groups/gnome/evolution-source-registry | 3 +-- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gnome-browser-connector-host | 3 +-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 -- apparmor.d/groups/gnome/gsd-a11y-settings | 4 ++-- apparmor.d/groups/gnome/gsd-datetime | 4 ++-- apparmor.d/groups/gnome/gsd-sharing | 4 ++-- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gnome/gsd-usb-protection | 3 +-- apparmor.d/groups/gnome/session-migration | 4 ++-- apparmor.d/groups/gvfs/gvfsd-network | 3 +-- apparmor.d/groups/gvfs/gvfsd-smb-browse | 3 +-- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/profiles-g-l/gsettings | 3 ++- apparmor.d/profiles-m-r/mission-control | 2 +- 22 files changed, 26 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index d110fb83b..df17e0d9f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6332f49e2..fbc7a7582 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include - include include include include include include + include + include include include include @@ -29,8 +30,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 8c6372ba5..944d5e1d5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index ac5d6af81..fcafbda5f 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -17,6 +17,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include network netlink raw, @@ -44,8 +45,6 @@ profile deja-dup-monitor @{exec_path} { @{bin}/ionice rix, @{bin}/deja-dup Px, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c9a9d72c9..b56af123d 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -15,6 +15,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include + include include include include @@ -63,7 +64,6 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index fba734ad4..3d1d00f28 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -14,6 +14,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include @@ -65,8 +66,6 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index a5a1bd414..299d0738b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -13,6 +13,7 @@ profile evolution-source-registry @{exec_path} { include include include + include include include include @@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c..2882c3d9e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 95af09ed6..e95762b6a 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} { @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 2f3e51670..6ddbd4b4c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -35,8 +35,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 5f05c21da..34ce2884d 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0190ad9b3..af1784e68 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 45b3ea1b9..7b47b0676 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -34,7 +35,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index bdacbfd00..98ce848ba 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 871203e6c..2b64ddf06 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include + include signal receive set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2359c9f39..3bfffdb6a 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,13 +11,12 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - include if exists } diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index aeb46f6c0..b31532cae 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include include + include + include include @{exec_path} mr, @@ -21,7 +22,6 @@ profile session-migration @{exec_path} { @{bin}/gsettings rPx, /usr/share/session-migration/scripts/* rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/ w, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 1af0a2b37..46f543fa4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -14,6 +14,7 @@ profile gvfsd-network @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -44,8 +45,6 @@ profile gvfsd-network @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 59d778133..a90cddc50 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -13,6 +13,7 @@ profile gvfsd-smb-browse @{exec_path} { include include include + include include network netlink raw, @@ -35,8 +36,6 @@ profile gvfsd-smb-browse @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 271ff23e4..3d2cbd63d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -117,7 +117,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 849599977..2e0eb2cf7 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b8e79c0dc..bf6c55093 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, From 4f1fddd2fb38dfc5a36bdf0ef32cd815fd380cfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 14:25:43 +0200 Subject: [PATCH 134/155] feat(profile): use natural transition instead of systemd drop in config when possible. As we can transition to the good profile naturally, do not use systemd for it. This bypass the apparmor error: `change_profile unprivileged unconfined converted to stacking`. Note: we cannot do the same for dbus-system and dbus-session are they have the same binary. --- systemd/default/user/at-spi-dbus-bus.service | 2 -- systemd/default/user/org.freedesktop.IBus.session.GNOME.service | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 systemd/default/user/at-spi-dbus-bus.service delete mode 100644 systemd/default/user/org.freedesktop.IBus.session.GNOME.service diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad533..000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf3..000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon From f5e2572457acd411e3b0b7ec0f7725e4a64d0f99 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:37:47 +0200 Subject: [PATCH 135/155] feat(profile): cleanup usage of icons abs. --- apparmor.d/groups/freedesktop/xsetroot | 5 +---- apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/hyprland/hyprpaper | 3 +-- apparmor.d/groups/hyprland/hyprpicker | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 1 - apparmor.d/groups/kde/plasmashell | 3 --- apparmor.d/groups/lxqt/lxqt-runner | 1 - 9 files changed, 3 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bc1291ef4..c0ddcb359 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1c35a8ec1..fde43420a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -88,7 +88,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b34d18c00..5eb78d8bb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -187,7 +187,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 3cb8dca92..6d0674d9f 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/icons/** r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index a46d53f4c..7becc5fb6 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include + include @{exec_path} mr, @{bin}/wl-copy Px, - /usr/share/icons/** r, - owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 4b1e734ed..b70d50666 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,8 +24,6 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cf9646051..4560427ad 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,7 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, /usr/share/mime/{,**} r, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e767d7bb5..45f0d43e9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -77,9 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker - /opt/**/share/icons/{,**} r, - /opt/*/**/*.desktop r, - /opt/*/**/*.png r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 9477c1bda..5783c1fa0 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -14,7 +14,6 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, - /usr/share/icons/ r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, From ac6eac13334224bc5c0273fcef673e6bcbf41a1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:47:07 +0200 Subject: [PATCH 136/155] feat(profile): cleanup usage of mime abs. --- apparmor.d/groups/flatpak/flatpak-portal | 5 +---- apparmor.d/groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/freedesktop/colord | 4 +--- apparmor.d/groups/gnome/gnome-photos-thumbnailer | 3 +-- apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer | 3 +-- apparmor.d/groups/gvfs/gvfsd-admin | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 2 -- apparmor.d/groups/kde/startplasma | 2 -- apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/lxqt/startlxqt | 1 - apparmor.d/groups/virt/cni-calico | 3 +-- apparmor.d/groups/virt/k3s | 1 - apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/evince-thumbnailer | 2 +- apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-g-l/hugo | 2 +- apparmor.d/profiles-m-r/mimetype | 11 +---------- 18 files changed, 12 insertions(+), 40 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index b86f0a4fd..fdbdb9189 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -32,11 +33,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner /att/**/ r, owner @{att}/.flatpak-info r, @@ -44,7 +42,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 1381a1483..0ca01d01d 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} { include include include + include include include include @@ -42,7 +43,6 @@ profile flatpak-system-helper @{exec_path} { /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, - /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 81d0c9f6b..b3cda6307 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -31,11 +32,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 0182e9dad..31d9b7987 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 51d5b43cf..56e448fd8 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index e1b16cac3..44248cbe3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include include capability chown, @@ -20,8 +21,6 @@ profile gvfsd-admin @{exec_path} { @{exec_path} mr, - /usr/share/mime/mime.cache r, - #aa:lint ignore=too-wide # Full access to system's data, but no write access to sensitive system directories / r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index b70d50666..8258d1bde 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -29,8 +29,6 @@ profile kaccess @{exec_path} { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 4560427ad..571581059 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,8 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/mime/{,**} r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 5db93719c..a8c8cbd13 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -48,8 +48,6 @@ profile startplasma @{exec_path} { /etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasmarc r, - /var/lib/flatpak/exports/share/mime/ r, - @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 3a4a6cd61..085b444b1 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -47,7 +47,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, - /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index a708e2336..3ae907116 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,7 +31,6 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, - /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a6c9149d2..9015d2157 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - /usr/share/mime/globs2 r, - @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 2142e28b9..59c4b9473 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 2b0530ef5..23e8e20d1 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -23,6 +23,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -141,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 95fdba512..6fbabaf28 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 58ba493cc..d7a72c236 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,6 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include include include @@ -57,7 +58,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, - /usr/share/mime/mime.cache r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, @@ -77,7 +77,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ed62f48f1..fd9c3dfa0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 91d021fae..1576050b5 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -11,22 +11,13 @@ include profile mimetype @{exec_path} { include include + include @{exec_path} r, - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - # To read files owner /** r, #aa:lint ignore=too-wide - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, - include if exists } From 45faf0eee06759b5a9213f65f51519b377a2a1ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:57:09 +0200 Subject: [PATCH 137/155] fix(tunable): add missing lightdm_state_dirs tunable. --- apparmor.d/tunables/multiarch.d/system-users | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 73a3267a0..1513aae2f 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -26,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} From a3426fef8cedc0a5b46a6184b2309d40598ecb30 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:23:48 +0200 Subject: [PATCH 138/155] feat: precise nvidia devices number. --- apparmor.d/abstractions/nvidia-strict | 2 +- apparmor.d/abstractions/nvidia.d/complete | 2 +- apparmor.d/groups/children/child-modprobe-nvidia | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index c3aa8e805..a7529eb9a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -35,7 +35,7 @@ owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{int} w, # Nvidia graphics devices + /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset rw, /dev/nvidia@{int} rw, /dev/nvidiactl rw, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d..e00385efd 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 61191fe9d..8e991cee7 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -41,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, From 9ee26050261c69e4f0654ec0e87e6d26d958b8e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:29:11 +0200 Subject: [PATCH 139/155] tests(packer): simplify pkg install script. --- tests/packer/init.sh | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 630da6b0f..44a86220f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,16 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eux +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" +# shellcheck source=/dev/null +source /etc/os-release || exit 1 readonly SRC=/tmp/ -readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" @@ -24,7 +19,7 @@ main() { install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in + case "$ID" in arch) rm -f $SRC/*.sig # Ignore signature files rm -f $SRC/*enforced* # Ignore enforced package @@ -32,8 +27,10 @@ main() { ;; debian | ubuntu) - apt-get install -y apparmor-profiles - dpkg -i $SRC/*.deb || true + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) From 9a4d878557b814fbeac1c3636b3cfb29550aa24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:38:00 +0200 Subject: [PATCH 140/155] refractor(abs): add screensaver abs, move bus screensaver abs. --- apparmor.d/abstractions/app/chromium | 3 +-- .../abstractions/bus/org.gnome.ScreenSaver | 21 --------------- .../bus/session/org.freedesktop.ScreenSaver | 26 +++++++++++++++++++ .../org.gnome.ScreenSaver} | 12 +++++---- apparmor.d/abstractions/screensaver | 14 ++++++++++ apparmor.d/groups/gnome/gnome-session-binary | 4 +-- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/element-desktop | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-m-r/pinentry-gnome3 | 2 +- apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/totem | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 15 files changed, 59 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.ScreenSaver create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver rename apparmor.d/abstractions/bus/{org.freedesktop.ScreenSaver => session/org.gnome.ScreenSaver} (51%) create mode 100644 apparmor.d/abstractions/screensaver diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 8f991c230..dad131d64 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,11 +26,9 @@ include include include - include include include include - include include include include @@ -40,6 +38,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index 46d1a1006..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name="@{busname}", label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..ee837b886 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver similarity index 51% rename from apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver rename to apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index f73768e9f..27c456637 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow checking status, activating and locking the screensaver (GNOME version) + abi , - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} peer=(name=@{busname}, label=gjs-console), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 000000000..1a9369091 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 447c030d6..b011935ae 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,13 +14,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include - include + include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 379f7b814..39cf990ca 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -23,7 +23,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 3b34d5055..e12c25b9d 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -18,9 +18,9 @@ profile discord @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index ec7ee9c65..f87486af3 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -18,10 +18,10 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 95e37b4d6..958f9b5ee 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -18,10 +18,10 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f4a61b07b..b60d929e2 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -11,8 +11,8 @@ profile pinentry-gnome3 @{exec_path} { include include include - include include + include signal receive set=int, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index bf0740919..d91285558 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -18,10 +18,10 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ed1ccfe1c..659d650fe 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -22,7 +22,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index fc582cae2..d8b464956 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index d572ce9b8..ccf1abb61 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -27,6 +26,7 @@ profile vlc @{exec_path} { include include include + include include include From 5cc5a019d4b875ebb283b31848bf9413a8d8e76d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:40:42 +0200 Subject: [PATCH 141/155] feat(profile): snap: add support for dev version. --- apparmor.d/groups/snap/snap | 4 ++-- apparmor.d/groups/snap/snap-discard-ns | 2 +- apparmor.d/groups/snap/snap-failure | 2 +- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 ++-- apparmor.d/groups/snap/snapd-aa-prompt-listener | 2 +- apparmor.d/groups/snap/snapd-aa-prompt-ui | 2 +- apparmor.d/groups/snap/snapd-apparmor | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 927d7a3da..0d38fc055 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns index 38396f3eb..0ccb3f1c7 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index edc9845e8..bed3a2d12 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 2a14fd583..90c1724be 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 98ee0e5e7..e831cc90c 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 06de56063..4a928e6d4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener index 7b9adced7..37730ba6f 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui index 0d26f42d3..99dc98efe 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 63251a976..47b939fa0 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { From 458126e7d7fea79a92b84fef53a455f79b8c0445 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 18:14:32 +0200 Subject: [PATCH 142/155] refractor(profile): add notification abs, move bus notifications. --- apparmor.d/abstractions/app/chromium | 2 +- .../bus/org.freedesktop.Notifications | 26 ------------------- .../bus/session/org.freedesktop.Notifications | 21 +++++++++++++++ .../bus/{ => session}/org.gtk.Notifications | 0 apparmor.d/abstractions/notifications | 12 +++++++++ apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/session-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 4 ++- apparmor.d/profiles-s-z/transmission | 2 +- 16 files changed, 47 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Notifications create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Notifications rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Notifications (100%) create mode 100644 apparmor.d/abstractions/notifications diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dad131d64..f08a096ca 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -38,6 +37,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index 6962bf7ec..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={NotificationClosed,CloseNotification} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 000000000..5c10a9eae --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications similarity index 100% rename from apparmor.d/abstractions/bus/org.gtk.Notifications rename to apparmor.d/abstractions/bus/session/org.gtk.Notifications diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 000000000..8232b54b5 --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 695be9f0d..e47cc66a3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,7 +19,6 @@ profile gnome-extension-ding @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-ding @{exec_path} { include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5eb78d8bb..0876b90d1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,9 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include - include include include include @@ -41,6 +39,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f3845daef..baaac245f 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,11 +13,11 @@ profile gnome-software @{exec_path} { include include include - include include include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 39cf990ca..63ab49c5e 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -30,6 +29,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8e9cddd54..0de63ac64 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,13 +14,13 @@ profile update-notifier @{exec_path} { include include include - include include include include include include include + include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index f40d69799..57487b15c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,11 +16,11 @@ include profile dropbox @{exec_path} { include include - include include include include include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 366c2aed6..78781ba28 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include include include include include include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c2bc95465..17ca1ec5a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index dc190b787..cafccd791 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -17,9 +17,9 @@ profile session-desktop @{exec_path} { include include include - include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 659d650fe..56f5e91b8 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -19,8 +19,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -30,6 +31,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index ad219f1ab..78d67787d 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -12,12 +12,12 @@ profile transmission @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include + include include include include From bd295d2a9d2fe0afc6361ca8528eb531051e9f0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:04 +0200 Subject: [PATCH 143/155] refractor: move gtk dbus to they own abs. --- .../abstractions/bus/session/org.gtk.Actions | 22 +++++++++++++++++++ .../abstractions/bus/session/org.gtk.Settings | 18 +++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 19 ++-------------- 3 files changed, 42 insertions(+), 17 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Actions create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Settings diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 000000000..899f244a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 000000000..9d2dd282a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 99cf70d97..356e97705 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, From bd7ae9bb56badbb168d88dc0de859f59a1ad7344 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:40 +0200 Subject: [PATCH 144/155] chore: improve comment in type definition. --- pkg/prebuild/builder/stacked-dbus.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index 33af33df7..e33ecf4b7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -19,7 +19,7 @@ var ( } ) -// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { prebuild.Base } From eee8241eb7649a302b65f6e840018755dd308b04 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:28:53 +0200 Subject: [PATCH 145/155] chore: cosmetic fixes. --- .../abstractions/bus/session/org.freedesktop.Notifications | 2 +- apparmor.d/abstractions/bus/session/org.gtk.Notifications | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index 5c10a9eae..b51c4bdcb 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -16,6 +16,6 @@ member={ActionInvoked,NotificationClosed,NotificationReplied} peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications index ad1a1ffad..151c642a8 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -11,6 +11,6 @@ member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor From 7eaae9e68c701e24710784c52e9db9fd2d44da87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:25:57 +0200 Subject: [PATCH 146/155] fix(profile): wrong path in abstraction. --- apparmor.d/abstractions/notifications | 4 ++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 5 +++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications index 8232b54b5..81d5cc94c 100644 --- a/apparmor.d/abstractions/notifications +++ b/apparmor.d/abstractions/notifications @@ -4,8 +4,8 @@ abi , - include - include + include + include include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c9585e2ab..92e6c9484 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -17,15 +16,17 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include include include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3f57b3035..22c02a97f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,7 +21,6 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include From 7cfff26ee273fca78aaea077cf63166d4883e2cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:46:52 +0200 Subject: [PATCH 147/155] fix(profile): abstraction not updated. --- apparmor.d/profiles-s-z/superproductivity | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 73a86672f..f7abf758b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,13 +20,13 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include network inet stream, network inet6 stream, From a1ba00bec3e964e11cae0dd94346f8aebdffc188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 23:00:13 +0200 Subject: [PATCH 148/155] feat(profile): general profile update. --- apparmor.d/groups/apparmor/apparmor_parser | 4 ++-- apparmor.d/groups/apt/debconf-frontend | 4 +++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/bluetooth/obexd | 5 +++++ apparmor.d/groups/cron/anacron | 3 +++ apparmor.d/groups/cups/cups-browsed | 4 +++- apparmor.d/groups/flatpak/flatpak | 3 +++ apparmor.d/groups/flatpak/flatpak-system-helper | 8 +++++++- apparmor.d/groups/freedesktop/wireplumber | 8 +++++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 13 +++++++++++++ apparmor.d/groups/gnome/gdm-session | 11 ++++++----- apparmor.d/groups/gnome/gnome-calculator | 1 + apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-session-binary | 5 +++-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 5 +++-- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-usb-protection | 1 + apparmor.d/groups/gnome/gsd-wwan | 7 +++++++ apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/ssh/sshd | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 +++ apparmor.d/groups/systemd/systemd-detect-virt | 3 +++ apparmor.d/groups/systemd/systemd-remount-fs | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 8 ++++++++ apparmor.d/groups/systemd/zram-generator | 8 ++++++-- apparmor.d/groups/ubuntu/apport-gtk | 1 + apparmor.d/groups/utils/who | 2 +- apparmor.d/profiles-a-f/finalrd | 1 + apparmor.d/profiles-g-l/gsettings | 1 - apparmor.d/profiles-g-l/issue-generator | 3 ++- apparmor.d/profiles-m-r/mimetype | 2 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/update-info-dir | 3 ++- apparmor.d/profiles-s-z/wsdd | 8 +++++++- apparmor.d/profiles-s-z/xournalpp | 2 +- 43 files changed, 121 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 0a9f9fcaf..a5769931c 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - deny /apparmor/.null rw, + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 4660755d6..6e80839fe 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # debconf apps + # Debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, + /etc/libpaper.d/texlive-base rPUx, + /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 7d2073768..8ae76e706 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, + /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 65ad4c0e5..3ea17a4e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,6 +25,11 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3756c1d03..3acfc14fd 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,6 +28,7 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +40,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index a7773a57f..7330d67c9 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} { /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c540b9db8..e73408a0a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0ca01d01d..cdfef1bad 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} { ptrace read, + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), + #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper @{exec_path} mr, @@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7aff8bdd2..aefdc339d 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -47,8 +47,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -81,8 +81,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 89acacd34..21c99827b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index fcafbda5f..a0fb366ab 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} { include include include + include + include network netlink raw, @@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 9a42bcdf1..c08d12a07 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -14,11 +14,12 @@ profile gdm-session @{exec_path} { include include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..4e83bfb76 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -10,6 +10,7 @@ include profile gnome-calculator @{exec_path} { include include + include include # Needed to get currency exchange rates diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fde43420a..111facf64 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 1f29958d1..7bcf80431 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,7 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index b011935ae..f4c61c5c6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 6ddbd4b4c..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e4ac12011..8bcb629a9 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index c399eadc7..5c8ab7c8a 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35f43a93e..83fcbd7c6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 3bfffdb6a..7f03d9fc5 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b089..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2e21750b9..7618dc3b6 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=UserAdded + member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 838dc940c..b0239f404 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -12,6 +12,7 @@ profile ptyxis @{exec_path} { include include include + include unix type=stream peer=(label=ptyxis-agent), diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 2307c709f..0965396ab 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 4937f6875..ef14d9ca9 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -112,6 +112,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 40cf0bca2..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sbin}/sshd.hmac r, + @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index db1854f1f..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b78b7c04..ca6eae3ad 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { /dev/cpu/@{int}/msr r, + deny capability net_admin, + deny capability perfmon, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 96b182e5f..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - /etc/blkid.conf r, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 640e48f3f..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 473848ef3..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod { + profile kmod flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 3d2cbd63d..d7480a212 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d951bfe03..d9ca9e164 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index b22730a27..7ce69ab64 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include + include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 2e0eb2cf7..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,7 +16,6 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 7783c8005..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -30,7 +31,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 1576050b5..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index d91285558..001f8605a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 9c686b19d..453e0093a 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,6 +14,7 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index fe06b32af..dc2a0d7aa 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/install-info Px, + @{bin}/cp ix, @{bin}/find ix, + @{bin}/install-info Px, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index fc6955793..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -28,7 +33,8 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 6442fe8b9..0d6c4d65f 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + /dev/snd/pcmC@{int}D@{int}[cp] w, include if exists } From 4f9d2703d4851a196b0e4af88d549f4b24bdc2b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:07:01 +0200 Subject: [PATCH 149/155] build: separate the base-strict abs from the re-attach builder. Enable the use of the base-strict abs on all setup. --- apparmor.d/abstractions/attached/base | 2 +- cmd/prebuild/main.go | 5 +++-- pkg/prebuild/builder/attach.go | 5 +---- pkg/prebuild/builder/base-strict.go | 32 +++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/base-strict.go diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 29c685f55..8741942ff 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,7 +8,7 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 62685202f..5eb1ab2f2 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -32,8 +32,9 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction ) // Matrix of ABI/Apparmor version to integrate with diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index d27908129..66ef18aef 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,10 +49,7 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) + } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 000000000..29a065629 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} From 7c6f7767575b2a0b6ed7870c6bd38483c42e1fb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:12:30 +0200 Subject: [PATCH 150/155] build: set default att to "" when not enabled. It fixes various issues with multiple / that are not collapsed in they canonical form in file rules See https://gitlab.com/apparmor/apparmor/-/issues/450#note_2158840105 --- apparmor.d/tunables/multiarch.d/system | 3 +-- pkg/prebuild/prepare/attach.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cf8575db0..b29be3f0c 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,7 +69,6 @@ # Default attachment path when re-attached path disconnected path is ignored. # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}=/ -alias / -> //, +@{att}="" # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index 3331c73dc..4523382d8 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -32,7 +32,6 @@ func (p ReAttach) Apply() ([]string, error) { if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") - out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) return res, path.WriteFile([]byte(out)) } From 09c1f61bb7aab8f9aff5e7c87cee66d9d9104b83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:54:28 +0200 Subject: [PATCH 151/155] build(debian): use deb-systemd-invoke and minor lintian fixes. --- debian/apparmor.d.postinst | 4 +--- debian/apparmor.d.postrm | 4 +--- debian/control | 6 +++--- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/control b/debian/control index 56ad928ba..85c4d3786 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,6 @@ Architecture: any Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine + most Linux based applications and processes. From 2b07398cef01bf511fafd8c66d631598baae1e8d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 3 Sep 2025 03:28:16 +0200 Subject: [PATCH 152/155] flatpak-app ntsync --- apparmor.d/groups/flatpak/flatpak-app | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e8fe195fb..e6be7ef4f 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -98,6 +98,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, + /dev/ntsync r, + include if exists include if exists } From 2c0b5405db7242b8d0b6704fc9998927bee30c9c Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 19:06:48 -0400 Subject: [PATCH 153/155] firewall-applet: update profile --- apparmor.d/groups/firewall/firewall-applet | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 280bd9d04..bd144b7e2 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -21,6 +21,9 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } From 237622f3efd6c7c8b11482086f2ca31fa47cc915 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 13:54:42 -0400 Subject: [PATCH 154/155] rpcbind: update profile rpcbind: update profile --- apparmor.d/groups/network/rpcbind | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 1d81292fd..0650470ac 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,18 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } From 4c84b572cda4433a664b1488e980034886652629 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Tue, 2 Sep 2025 05:12:04 +0200 Subject: [PATCH 155/155] glxgears can't access X cookie --- apparmor.d/profiles-g-l/glxgears | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 1e27790df..cfd9f0dac 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists }