diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 028705bb7..381a77ae9 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -76,6 +76,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount options=(rw move) -> /tmp/, mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, + mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, mount options=(rw rslave) -> /dev/, @@ -86,6 +87,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, remount @{run}/systemd/mount-rootfs/{,**}, + remount @{run}/systemd/unit-root/{,**}, remount /, remount /snap/{,**}, remount options=(ro noexec noatime bind) /var/snap/{,**}, @@ -246,7 +248,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/kmsg w, - /dev/shm/ r, owner /dev/console rwk, owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, @@ -254,6 +255,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, + owner /dev/shm/ rw, owner /dev/ttyS@{int} rwk, include if exists diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index d7620c3cc..f475039e1 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -27,6 +27,9 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{sh_path} rmix, + # ifup@.service + @{bin}/ifup rPx, + # shadow.service @{bin}/pwck rPx, @{bin}/grpck rPx, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 6fe492f46..f53080c6c 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -52,11 +52,14 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, @{sys}/kernel/security/apparmor/.access rw, + @{sys}/kernel/security/apparmor/features/dbus/mask r, + @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index e1ffc64d6..29f4cfb1a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/xdg-desktop-portal-gnome -profile xdg-desktop-portal-gnome @{exec_path} { +profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include @@ -27,6 +27,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { network unix stream, signal (receive) set=term peer=gdm, + signal (receive) set=(hup term) peer=gdm-session-worker, # dbus: own bus=session name=org.freedesktop.impl.portal.desktop.gnome @@ -82,5 +83,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/status r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index ba8ef4939..27a35244d 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -32,7 +32,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gdm-session-worker, signal (send) set=(term) peer=gdm-session, signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xdg-permission-store, + signal (send) set=(term) peer=tracker-miner, + signal (send) set=(term) peer=xdg-*, signal (send) set=(term) peer=xorg, unix (bind, listen) type=stream addr="@/tmp/dbus-@{rand8}", diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index b11ca4ace..00acd2c90 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -32,9 +32,10 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, + @{GDM_HOME}/ r, owner @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, - owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} w, + owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index a13075968..4de981f14 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -32,7 +32,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, signal (receive) set=term peer=gdm, - signal (receive) set=hup peer=@{systemd}, signal (send) set=(hup term) peer=gdm-session, signal (send) set=hup peer=at-spi*, signal (send) set=hup peer=dbus-session, @@ -41,7 +40,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=gsd-*, signal (send) set=hup peer=ibus-*, signal (send) set=hup peer=tracker-miner, - signal (send) set=hup peer=xdg-permission-store, + signal (send) set=hup peer=xdg-*, signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 6cc32d534..1b6500f4f 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -45,24 +45,33 @@ profile gnome-initial-setup @{exec_path} { /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,**} r, /etc/timezone r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{user_config_dirs}/gnome-initial-setup-done w, - owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6}BQK2 rw, + owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{run}/user/@{uid}/avatar.png rw, + @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/bios_version r, @{sys}/devices/virtual/dmi/id/product_family r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 630281200..b208aa2ec 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -19,6 +19,7 @@ profile gnome-session @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/gettext.sh r, + @{bin}/gettext rix, @{bin}/grep rix, @{bin}/head rix, @{bin}/id rix, @@ -32,6 +33,7 @@ profile gnome-session @{exec_path} { @{bin}/tty rix, @{bin}/uname rPx, + @{bin}/dpkg-query rpx, @{bin}/flatpak rCx -> flatpak, @{bin}/gsettings rPx, @{lib}/gnome-session-binary rPx, @@ -51,6 +53,7 @@ profile gnome-session @{exec_path} { /etc/sysconfig/mail r, /etc/sysconfig/proxy r, /etc/sysconfig/windowmanager r, + /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, owner @{PROC}/@{pid}/cmdline r, @@ -60,7 +63,8 @@ profile gnome-session @{exec_path} { profile flatpak { include - + include + @{bin}/flatpak mr, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index eacc0d17f..d1891c19f 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -56,9 +56,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-session rPx, @{bin}/gnome-shell rPx, @{bin}/session-migration rPx, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx -> dbus-accessibility, - @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rix, @{lib}/gnome-session-check-accelerated rix, @{lib}/gnome-session-check-accelerated-gl-helper rix, @{lib}/gnome-session-check-accelerated-gles-helper rix, @@ -90,7 +88,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, - owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, @@ -117,8 +114,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open { include - @{lib}/gio-launch-desktop mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{lib}/gio-launch-desktop mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{sh_path} rix, @{bin}/aa-notify rPx, @{bin}/blueman-applet rPx, @@ -139,6 +137,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{bin}/xbrlapi rPx, @{bin}/xdg-user-dirs-gtk-update rPx, @{bin}/xdg-user-dirs-update rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx, @{lib}/@{multiarch}/libexec/kdeconnectd rPUx, @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, @{lib}/baloo_file rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index cafad19c9..9828d75c4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -272,7 +272,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/cookie rwk, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, - owner @{gdm_share_dirs}/icc/{,*} rw, + owner @{gdm_share_dirs}/icc/ r, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, @@ -295,7 +297,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{user_share_dirs}/icc/{,*} rw, + owner @{user_share_dirs}/icc/ r, + owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-boxes/*.png r, @@ -359,6 +363,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r, + @{PROC}/ r, @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/gnome-shell-overrides-migration b/apparmor.d/groups/gnome/gnome-shell-overrides-migration new file mode 100644 index 000000000..2ef00e0f7 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-shell-overrides-migration @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh +profile gnome-shell-overrides-migration @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gsettings rPx, + + owner @{user_share_dirs}/gnome-shell/ rw, + owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 77197f7a0..09af2c707 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -57,6 +57,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_config_dirs}/dconf/user r, @{run}/udev/data/+backlight:* r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index f4c712257..a2df1c198 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, + deny @{user_share_dirs}/gvfs-metadata/* r, + profile bwrap flags=(attach_disconnected) { include include @@ -39,6 +41,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap mr, @{lib}/glycin-loaders/*/glycin-image-rs rix, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 0445f1abd..261676af7 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -45,8 +45,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/mount rPx, @{bin}/umount rPx, - owner @{desktop_config_dirs}/dconf/user r, - / r, /etc/fstab r, @@ -54,6 +52,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/**/ r, @{HOME}/**/ r, + owner @{desktop_config_dirs}/dconf/user r, + @{run}/mount/utab r, @{PROC}/ r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 285e24a14..fa90f1582 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -95,8 +95,6 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{etc_ro}/rc{[0-9],S}.d/{,*} r, @{etc_ro}/init.d/ntp r, - owner @{PROC}/filesystems r, - include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index f66961409..39315e7cb 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -32,10 +32,10 @@ profile coredumpctl @{exec_path} flags=(complain) { /var/lib/systemd/coredump/core.*.@{int}.@{hex}.@{int}.@{int}.zst r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{md5}/ r, - /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{md5}/system.journal* r, - /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner /tmp/*.coredump w, owner /tmp/core.* w, diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index b63f89950..9a10d3de9 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -16,6 +16,7 @@ profile cups-browsed @{exec_path} { include include + capability net_admin, capability net_bind_service, capability sys_nice, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 84c06ea19..6e06e6b18 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -31,7 +31,7 @@ profile scrcpy @{exec_path} { /var/lib/dbus/machine-id r, owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, deny @{user_share_dirs}/gvfs-metadata/* r,