diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 4ddcca5ca..d60668c03 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -13,7 +13,6 @@ profile debconf-apt-progress @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, @{bin}/apt-get rPx, @@ -21,7 +20,6 @@ profile debconf-apt-progress @{exec_path} flags=(complain) { /usr/share/debconf/frontend rPx, #/usr/share/debconf/frontend rCx -> frontend, - profile frontend flags=(complain) { include include @@ -29,7 +27,6 @@ profile debconf-apt-progress @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - @{bin}/perl r, @{bin}/debconf-apt-progress rPx, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 1a01a72f6..93f5ebca5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -39,7 +39,6 @@ profile dpkg @{exec_path} { # Package maintainer's scripts /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx, # For shell pwd diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3e7c9d092..57c2ed4b8 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -26,7 +26,8 @@ profile anacron @{exec_path} { @{HOME}/ r, - /tmp/file* rw, + @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, profile run-parts { include @@ -38,6 +39,7 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index a73262d75..4fb66d92c 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -49,6 +49,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { /dev/**/ r, /dev/mapper/control rw, + /dev/root r, include if exists } diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 3b5a1dcc1..fcadd52b8 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -29,14 +29,14 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{python_path} rix, @{bin}/ r, - @{bin}/cat ix, - @{bin}/env r, - @{python_path} ix, - @{bin}/sysctl ix, - @{bin}/xtables-legacy-multi ix, - @{bin}/xtables-nft-multi ix, - @{lib}/ufw/ufw-init ix, + @{bin}/cat rix, + @{bin}/env r, + @{bin}/sysctl rix, + @{bin}/xtables-legacy-multi rix, + @{bin}/xtables-nft-multi rix, + @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, /etc/ufw/ rw, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 8e5933073..1b004021f 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -12,6 +12,7 @@ profile plymouthd @{exec_path} { include include include + include capability checkpoint_restore, capability dac_override, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index ea357751d..7d0836f7a 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -51,6 +51,10 @@ profile wireplumber @{exec_path} { owner @{run}/user/@{uid}/pipewire-@{int} rw, + /dev/shm/lttng-ust-wait-@{int} r, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index ba699bdbd..a6200a2b2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -39,6 +39,7 @@ profile xdg-desktop-icon @{exec_path} { include include include + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index b5fc76fc7..d1fc5e147 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -19,6 +19,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 17d26e3b1..4122e5ef0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -35,6 +35,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=RunningApplicationsChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 05fb5a6fa..03b418684 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/Xwayland +@{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 88ec63ea7..e66450d09 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -31,8 +31,9 @@ profile epiphany-search-provider @{exec_path} { owner @{user_cache_dirs}/epiphany/{,**} rwk, owner @{user_share_dirs}/epiphany/{,**} rwk, + owner @{tmp}/ContentRuleList-@{rand6} rw, owner @{tmp}/ContentRuleList@{rand6} rw, - owner @{tmp}/Serialized* rw, + owner @{tmp}/SerializedNFA-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d98b764df..d54ed16fc 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -31,25 +31,26 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - signal (receive) set=term peer=gdm, - signal (send) set=(hup term) peer=gdm-session, - signal (send) set=hup peer=at-spi*, - signal (send) set=hup peer=dbus-accessibility, - signal (send) set=hup peer=dbus-session, - signal (send) set=hup peer=dconf-service, - signal (send) set=hup peer=gjs-console, - signal (send) set=hup peer=gnome-*, - signal (send) set=hup peer=gsd-*, - signal (send) set=hup peer=ibus-*, - signal (send) set=hup peer=mutter-x11-frames, - signal (send) set=hup peer=tracker-miner, - signal (send) set=hup peer=xdg-*, - signal (send) set=hup peer=xorg, - signal (send) set=hup peer=xwayland, + signal receive set=term peer=gdm, + signal send set=(hup term) peer=gdm-session, + signal send set=hup peer=at-spi*, + signal send set=hup peer=dbus-accessibility, + signal send set=hup peer=dbus-session, + signal send set=hup peer=dconf-service, + signal send set=hup peer=gjs-console, + signal send set=hup peer=gnome-*, + signal send set=hup peer=gsd-*, + signal send set=hup peer=ibus-*, + signal send set=hup peer=mutter-x11-frames, + signal send set=hup peer=tracker-miner, + signal send set=hup peer=xdg-*, + signal send set=hup peer=xorg, + signal send set=hup peer=xwayland, unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 20d5e48d5..7f2f74083 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -82,6 +82,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 74b0cb041..195a72d39 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -32,8 +32,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (send) set=(kill) peer=unconfined, - signal (send) set=(kill) peer=passwd, + signal send set=kill peer=unconfined, + signal send set=kill peer=passwd, unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), @@ -113,6 +113,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, + owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/@{hex32}.png.@{rand6} rw, owner @{user_config_dirs}/background rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, @@ -195,6 +196,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile pkexec { include include + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 3debf61ed..c3631ddb7 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -17,8 +17,11 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, + network netlink raw, #aa:dbus own bus=system name=org.gnome.RemoteDesktop #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index e6d2bba7c..448e517a5 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,6 +47,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, owner @{tmp}/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{hex16} rw, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 40d938a63..83bf18b9b 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -30,11 +30,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={GetTreeFromDevice,Remove} - peer=(name=:*, label=gvfsd-metadata), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 2e2d9232b..8b6195b46 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -33,26 +33,7 @@ profile grub-probe @{exec_path} { @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, - /dev/*vg*/ r, - /dev/bsg/ r, - /dev/bus/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/char/ r, - /dev/cpu/ r, - /dev/cpu/@{int}/ r, - /dev/dma_heap/ r, - /dev/dri/ r, - /dev/dri/by-path/ r, - /dev/hugepages/ r, - /dev/input/ r, - /dev/input/by-id/ r, - /dev/input/by-path/ r, - /dev/mapper/control rw, - /dev/mqueue/ r, - /dev/shm/ r, - /dev/snd/ r, - /dev/snd/by-path/ r, + /dev/**/ r, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index 996d9f170..fab1c2a2e 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/hyprlock -profile hyprlock @{exec_path} { +profile hyprlock @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 283a79248..34a9ff8fe 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -21,6 +21,11 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/system-connections/ r, + @{run}/NetworkManager/system-connections/* rw, + @{run}/systemd/generator/multi-user.target.wants/ w, @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, @{run}/systemd/generator/netplan.stamp w, diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/groups/polkit/pkexec index c7bfbcefa..f4fc76639 100644 --- a/apparmor.d/groups/polkit/pkexec +++ b/apparmor.d/groups/polkit/pkexec @@ -27,7 +27,6 @@ profile pkexec @{exec_path} { /etc/default/locale r, - @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 47610d176..38f05275b 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -51,6 +51,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index 849aeb687..a25414390 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -24,6 +24,8 @@ profile sysctl @{exec_path} { /etc/sysctl.d/{,**} r, /usr/lib/sysctl.d/{,**} r, + /etc/ufw/sysctl.conf r, # Add support for ufw + @{PROC}/sys/ r, @{PROC}/sys/** rw, @@ -31,8 +33,6 @@ profile sysctl @{exec_path} { deny network inet6 stream, deny network inet stream, - /etc/ufw/sysctl.conf r, # Add support for ufw - include if exists } diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 4b752a440..0dc65b1fb 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -37,8 +37,10 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, - /etc/pam.d/chpasswd r, - /etc/pam.d/common-* r, + /etc/pam.d/* r, + /etc/security/pwquality.conf r, + + @{PROC}/@{pid}/loginuid r, include if exists } diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index dffe5e2e1..8549d8315 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -14,7 +14,6 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 3da082eef..a7273d817 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -43,6 +43,8 @@ profile snap-update-ns @{exec_path} { owner /snap/{,**} rw, owner /var/ rw, + owner /var/lib/ rw, + owner /var/lib/snapd/ rw, owner /var/snap/ rw, owner /var/snap/**/ rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index c32d33ded..f1cd46537 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -160,9 +160,9 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/system.slice/{,**/} r, @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, - @{sys}/fs/cgroup/user.slice/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, + @{sys}/fs/cgroup/*.slice/ r, + @{sys}/fs/cgroup/*.slice/*.service/{,**/} r, + @{sys}/fs/cgroup/*.slice/*-@{uid}.slice/*@@{uid}.service/app.slice/snap*.service/cgroup.procs r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 14cbd3c87..397ffdcd6 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -8,7 +8,6 @@ abi , include @{exec_path} = @{bin}/ssh-keygen - profile ssh-keygen @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 2cac865a4..db8e7b21b 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,6 +16,7 @@ profile localectl @{exec_path} { @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/pkttyagent rPx, /usr/share/kbd/keymaps/{,**} r, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 2892c88c3..ca43277aa 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -23,6 +23,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/ssh rPx, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 205012cd2..a24858125 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -41,7 +41,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx, + @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, @{bin}/mkfs.btrfs rPx, @{bin}/mkfs.fat rPx, @{bin}/mke2fs rPx, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index f38de6b67..a879d02ec 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -141,6 +141,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, + owner @{att}/dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 5f60b5676..f3f27b523 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -25,6 +25,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{att}/ r, / r, /etc/ r, /etc/machine-id rw, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index c57327bcb..20e940b1d 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -32,6 +32,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 5b67b14d7..8eafd25a0 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -38,8 +38,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/*.ref rw, - @{run}/cockpit/active.motd r, - @{run}/cockpit/inactive.motd r, + @{run}/cockpit/* r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 2a685f04e..7b0779119 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cockpit/cockpit-ws profile cockpit-ws @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 2861514aa..9a8cbe379 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -15,8 +15,9 @@ profile docker-proxy @{exec_path} { network inet stream, network inet6 stream, + network netlink raw, - signal (receive) set=int peer=dockerd, + signal receive set=int peer=dockerd, @{exec_path} mr, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 5b4e8dca2..2f8ac9820 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -66,6 +66,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/apparmor_parser rPx, @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, + @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, @{bin}/git rCx -> git, @{bin}/kmod rPx, @@ -129,6 +130,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { include @{bin}/docker-init mr, + @{lib}/docker/docker-init mr, include if exists } diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 36ca9555f..f2231479d 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, + /usr/share/byobu/desktop/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 92afa1d08..bb2c64cee 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -27,6 +27,8 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 98364f0f1..9aaccaa16 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/exim4 -profile exim4 @{exec_path} { +profile exim4 @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 295cbe760..e29b6d80b 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -22,6 +22,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index f599bbc1f..6dffac5a6 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -39,6 +39,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + owner /var/lib/fwupd/.cache/ w, + @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 52252882d..78d0a9a9c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index 44c7a8ac7..aeac3e6a1 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper profile landscape-sysinfo.wrapper @{exec_path} { include + include capability dac_override, capability fowner, diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 50848028e..fe684f671 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -10,9 +10,12 @@ include profile motd @{exec_path} { include include + include network inet dgram, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, @{exec_path} mr, @@ -20,8 +23,11 @@ profile motd @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, @{bin}/cloud-id rix, + @{bin}/systemctl rCx -> systemctl, @{bin}/hostname rPx, @{bin}/snap rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, @{bin}/wget rix, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @@ -34,20 +40,35 @@ profile motd @{exec_path} { /etc/default/motd-news r, /etc/lsb-release r, /etc/update-motd.d/* r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, /var/cache/motd-news rw, /var/lib/update-notifier/updates-available r, /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - /tmp/tmp.@{rand10} w, + /tmp/tmp.@{rand10} rw, @{run}/motd.d/{,*} r, @{run}/motd.dynamic.new rw, + @{run}/reboot-required r, @{PROC}/@{pids}/mounts r, /dev/tty@{int} rw, + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/systemd/private rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index b6bbf5f73..bc30789dc 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -22,6 +22,8 @@ profile qemu-ga @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/sys/vm/max_map_count r, + /dev/vport@{int}p@{int} rw, profile systemctl { diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index eaeda6f76..c2bc95465 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -35,7 +35,7 @@ profile remmina @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.remmina.Remmina + #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 04e3b7ffc..6ccb111cd 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -11,22 +11,19 @@ include profile tlp @{exec_path} flags=(attach_disconnected) { include include - include - include include + include + include + include include - include capability dac_read_search, - capability net_admin, capability sys_nice, capability sys_rawio, capability sys_tty_config, network netlink raw, - ptrace read peer=unconfined, - @{exec_path} mr, @{sh_path} rix, @@ -72,10 +69,16 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/class/net/ r, + @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/{,**/}power/control w, + @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w, @{sys}/devices/@{pci}/class r, + @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, @{sys}/module/*/parameters/power_save rw, @@ -100,6 +103,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include + @{run}/tlp/lock_tlp rw, + include if exists }