diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7895db4e9..f1443a936 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -69,11 +69,12 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, + /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, + /etc/lsb-release r, /etc/mailcap r, /etc/mime.types r, - /etc/{,opensc/}opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -96,7 +97,7 @@ owner @{tmp}/firefox/* rwk, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, - owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmp-*.xpi rw, owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon-@{int} r, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index ca4a8e16c..ceacbae9c 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -5,7 +5,7 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. - /usr/share/alsa/** r, + /usr/share/alsa/{,**} r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 619ba1111..ef69d2d54 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -7,10 +7,6 @@ include - /usr/share/alsa/{,**} r, - - /etc/alsa/conf.d/{,**} r, - @{run}/udev/data/+sound:card@{int} r, # for sound card @{sys}/class/ r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index f2526292b..995f94f8f 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -9,6 +9,7 @@ include @{name} = firefox{,.sh,-esr,-bin} @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/glxtest profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @@ -19,6 +20,9 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, + owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, + owner @{config_dirs}/firefox/*/.parentlock rw, owner @{tmp}/@{name}/.parentlock rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 89135381c..588d4d393 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -71,6 +71,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{HOME}/ r, + owner @{HOME}/* r, owner @{HOME}/*/{,**} rw, owner @{MOUNTS}/ r, diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fbb3942f7..5ebd08e5a 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -14,8 +14,11 @@ profile gnome-clocks @{exec_path} { include include include + include include + network netlink raw, + #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index b1a0bd8ac..2ebff5ddf 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -83,6 +83,11 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/.changed w, + owner @{user_share_dirs}/flatpak/{app,runtime}/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 126140401..8e79bd015 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -38,6 +38,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 84f37da76..01518446b 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -16,6 +16,8 @@ profile gnome-tweaks @{exec_path} { include include + network netlink raw, + @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index d25b4cdcc..d125cd13d 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -34,6 +34,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/geocode-glib/* r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index ee2de80ce..6b2544a84 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -47,6 +47,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/media@{int} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index b037db499..a49f28b47 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -65,7 +65,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, + owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{hex16} rw, # Allow to search user files diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index d8ea92d1f..a5a4c8ce2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -21,7 +21,7 @@ profile gvfsd-mtp @{exec_path} { @{exec_path} mr, - owner @{HOME}/{,**} rw, + owner @{HOME}/{,**} rw, # FIXME: ? owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ab2ea4677..9509d3184 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -36,7 +36,7 @@ profile gvfsd-recent @{exec_path} { @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} rw, + owner @{HOME}/{,**} rw, # FIXME: ? owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 1f3d9ad8b..ab08d1f18 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -118,6 +118,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/** rwlk -> /var/**, # Read packages files + @{user_pkg_dirs}/ r, @{user_pkg_dirs}/**/ r, @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @@ -193,6 +194,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + signal send set=cont peer=child-pager, + @{bin}/pager rPx -> child-pager, @{bin}/less rPx -> child-pager, @{bin}/more rPx -> child-pager, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 376749d9e..3fbbfc51f 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -131,6 +131,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/edk2*/{,**} rk, /usr/share/hwdata/* r, + /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 50b8e4889..a39c04504 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -62,6 +62,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index c2eb97c30..ae72f8dbc 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 78fa87937..86077c89b 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -75,8 +75,7 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, - /tmp/ r, - owner @{tmp}/** rw, + /tmp/ r, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index d32790f0b..e450c78cd 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -44,9 +44,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /usr/local/lib/python3.@{int}/dist-packages/ r, - /usr/share/libalternatives/ r, - /usr/share/libalternatives/ebtables*/{,*} r, - /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, + /usr/share/iproute2/{,**} r, + /usr/share/libalternatives/{,**} r, /etc/firewalld/{,**} rw, /etc/iproute2/group r, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 83be5477c..87e9b443d 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -89,6 +89,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/flatpak/app/** rw, owner @{run}/flatpak/doc/** rw, owner @{run}/ld-so-cache-dir/* rw, + owner @{run}/user/ r, owner @{run}/user/@{uid}/*.kioworker.socket r, owner @{run}/user/@{uid}/#@{int} rwl, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index d06991025..7e8faecfa 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -89,7 +89,7 @@ profile htop @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index cb220a7b6..38cbecd71 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -95,7 +95,7 @@ profile monitorix @{exec_path} { @{PROC}/@{pids}/io r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index db29113ce..46e10927b 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -9,9 +9,11 @@ include @{exec_path} = /opt/Mullvad*/resources/mullvad-setup profile mullvad-setup @{exec_path} { include + include @{exec_path} mr, + @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, # File Inherit diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 911519459..e72a6a5c6 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -55,7 +55,6 @@ profile qnapi @{exec_path} { /tmp/ r, owner @{tmp}/@{hex}.* rw, - owner @{tmp}/** rw, owner @{tmp}/#@{int} rw, owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, owner @{tmp}/QNapi-*-rc.lock rwk, diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 418167345..5d773292d 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -14,11 +14,16 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted include include include + include include + include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink dgram, + network netlink raw, @{exec_path} mr, @@ -31,6 +36,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, + owner @{user_books_dirs}/**/None rw, owner @{user_cache_dirs}/YACReader/ rw, owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw, @@ -43,7 +49,10 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{tmp}/@{uuid} w, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index aadad6860..755efba9b 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -27,8 +27,6 @@ profile sanoid @{exec_path} flags=(complain) { @{run}/sanoid/sanoid_cacheupdate.lock rwk, @{run}/sanoid/sanoid_pruning.lock rwk, - owner @{tmp}/** rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 5eececb0b..18e4c135f 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index 49a668996..95eec5abc 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -29,6 +29,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { network unix stream, signal receive peer=steam, + unix, @{exec_path} mr, @{bin}/bwrap mrix, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index 077e6cf8b..d6680ac61 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -23,7 +23,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - network unix stream, + + unix, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index c90665cdf..ba3e774e6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - owner @{tmp}/** rw, - @{PROC}/@{pids}/maps r, include if exists diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index ab36047f2..f929adcae 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -46,8 +46,6 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{tmp}/* rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index d5116b043..e6cd61581 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -9,7 +9,8 @@ include @{exec_path} = @{bin}/waybar profile waybar @{exec_path} flags=(attach_disconnected) { include - include + include + include include include include diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 1b4206dad..aaebe5ed1 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -48,6 +48,7 @@ @{rand8}=@{rand4}@{rand4} @{rand9}=@{rand8}@{c} @{rand10}=@{rand8}@{rand2} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} @{rand16}=@{rand8}@{rand8} @{rand32}=@{rand16}@{rand16} @{rand64}=@{rand64}@{rand64}