diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 9de4359e1..f1443a936 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -69,11 +69,12 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, + /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, + /etc/lsb-release r, /etc/mailcap r, /etc/mime.types r, - /etc/{,opensc/}opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -96,7 +97,7 @@ owner @{tmp}/firefox/* rwk, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, - owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmp-*.xpi rw, owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon-@{int} r, @@ -104,6 +105,7 @@ owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, @{run}/mount/utab r, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index ca4a8e16c..ceacbae9c 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -5,7 +5,7 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. - /usr/share/alsa/** r, + /usr/share/alsa/{,**} r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 619ba1111..ef69d2d54 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -7,10 +7,6 @@ include - /usr/share/alsa/{,**} r, - - /etc/alsa/conf.d/{,**} r, - @{run}/udev/data/+sound:card@{int} r, # for sound card @{sys}/class/ r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game new file mode 100644 index 000000000..a3619b164 --- /dev/null +++ b/apparmor.d/abstractions/common/game @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Core set of resources for any games on Linux. Runtimes such as sandboxing, +# wine, proton, game launchers should use this abstraction. + +# This abstraction use the following tunables: +# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") +# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) + + include + include + include + include + include + include + include + + @{bin}/uname rix, + @{bin}/xdg-settings rPx, + @{browsers_path} rPx, + + @{bin}/env r, + + @{lib}/ r, + / r, + /home/ r, + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, + + owner @{user_games_dirs}/ r, + owner @{user_games_dirs}/*/ r, + owner @{user_games_dirs}/*/{,**} rwkl, + + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/crashes/ rw, + owner @{tmp}/crashes/** rwk, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/net/*/carrier r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/ r, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/*/carrier r, + @{sys}/kernel/ r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/uptime r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/tty rw, + /dev/uinput rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index c6a7aff75..4bd211f27 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -2,45 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include - include - include - include - include - include - include - - @{bin}/uname rix, - @{bin}/xdg-settings rPx, - @{browsers_path} rPx, - - @{bin}/env r, + include @{lib_dirs}/ r, - @{lib}/ r, - / r, - /home/ r, - /usr/ r, - /usr/local/ r, - /usr/local/lib/ r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{HOME}/ r, owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pipe r, - owner @{user_games_dirs}/ r, - owner @{user_games_dirs}/*/ r, - owner @{user_games_dirs}/*/{,**} rwkl, - - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{app_dirs}/ r, owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper" @@ -56,19 +24,6 @@ owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, - @{tmp}/ r, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/crashes/ rw, - owner @{tmp}/crashes/** rwk, - owner @{tmp}/miles_image_@{rand6} mrw, - owner @{tmp}/runtime-info.txt.@{rand6} rw, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - owner /dev/shm/mono.@{int} rw, - owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -76,53 +31,6 @@ owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/net/*/carrier r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/system/ r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/cpu@{int}/ r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/*/carrier r, - @{sys}/kernel/ r, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/uptime r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/tty rw, - /dev/uinput rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index f52c3e14f..f21b968d2 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -31,6 +31,8 @@ profile akonadi_control @{exec_path} { owner @{user_share_dirs}/akonadi/{,**} rwl, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 41ce67746..6d50db9dc 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -57,14 +57,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{rand6}.tmp r, owner @{tmp}/@{rand8}.txt w, owner @{tmp}/* w, # file downloads (to anywhere) - owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla*/ rw, owner @{tmp}/mozilla*/* rwk, - owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, - owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk, # Silencer deny @{lib_dirs}/** w, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index f2526292b..995f94f8f 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -9,6 +9,7 @@ include @{name} = firefox{,.sh,-esr,-bin} @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/glxtest profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @@ -19,6 +20,9 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, + owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, + owner @{config_dirs}/firefox/*/.parentlock rw, owner @{tmp}/@{name}/.parentlock rw, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index d23d94bb8..b4202ed0d 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -10,8 +10,8 @@ include profile firefox-kmozillahelper @{exec_path} { include include - include include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index dc4ded9cd..1c5f8cd30 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -16,6 +16,12 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + signal (receive) set=(term hup kill) peer=dbus-session, signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, @@ -50,6 +56,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, + owner @{tmp}/xauth_@{rand6} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index f001c27b7..e63d51eaa 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -66,6 +66,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/oom_score_adj r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index a1a04dfa3..3636138c0 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -57,9 +57,10 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/fd/ r, @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, /dev/tty rw, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 6278d2ac7..962a97c3b 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -18,9 +18,9 @@ profile xdm-xsession @{exec_path} { @{shells_path} rix, - @{bin}/checkproc rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/checkproc rix, @{bin}/dirname rix, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, @@ -28,8 +28,10 @@ profile xdm-xsession @{exec_path} { @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/sed rix, @{bin}/ssh-agent rix, + @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @@ -56,6 +58,7 @@ profile xdm-xsession @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, + /usr/share/terminfo/{,**} r, @{etc_ro}/X11/xdm/scripts/{,*} r, @{etc_ro}/X11/xim r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 7754ee09f..f8a9700f5 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -46,6 +46,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/shm/#@{int} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 0bb878ab6..5fc356133 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -84,12 +84,14 @@ profile pulseaudio @{exec_path} { owner @{desktop_config_dirs}/pulse/{,**} rw, owner @{desktop_config_dirs}/pulse/cookie k, + owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, owner @{run}/user/@{uid}/ rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/** rwk, owner @{run}/user/@{uid}/systemd/notify rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 89135381c..588d4d393 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -71,6 +71,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{HOME}/ r, + owner @{HOME}/* r, owner @{HOME}/*/{,**} rw, owner @{MOUNTS}/ r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index c5b220145..f50e30311 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -77,6 +77,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, /etc/default/locale r, + /etc/fscrypt.conf r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, @@ -93,6 +94,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /var/lib/wtmpdb/ r, /var/lib/wtmpdb/* rwk, + /.fscrypt/policies/ r, + /.fscrypt/protectors/ r, + owner /.fscrypt/protectors/@{hex16} r, + + /home/ r, + /home/.fscrypt/policies/ r, + owner /home/.fscrypt/policies/@{hex32} r, + owner /home/.fscrypt/protectors/@{hex16}.link r, + owner @{HOME}/.pam_environment r, @{run}/cockpit/inactive.motd r, @@ -106,12 +116,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/cockpit/active.motd r, @{run}/faillock/@{user} rwk, + @{run}/fscrypt/ rw, + @{run}/fscrypt/@{uid}.count rwk, @{run}/motd.d/{,*} r, @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, @{PROC}/keys r, diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fbb3942f7..5ebd08e5a 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -14,8 +14,11 @@ profile gnome-clocks @{exec_path} { include include include + include include + network netlink raw, + #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index b1a0bd8ac..2ebff5ddf 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -83,6 +83,11 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/.changed w, + owner @{user_share_dirs}/flatpak/{app,runtime}/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 126140401..8e79bd015 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -38,6 +38,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 84f37da76..01518446b 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -16,6 +16,8 @@ profile gnome-tweaks @{exec_path} { include include + network netlink raw, + @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index d25b4cdcc..d125cd13d 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -34,6 +34,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/geocode-glib/* r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index ee2de80ce..6b2544a84 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -47,6 +47,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/media@{int} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index b037db499..a49f28b47 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -65,7 +65,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, + owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{hex16} rw, # Allow to search user files diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index ae8f90ed5..1e257cfc0 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -20,6 +20,7 @@ profile gpg-connect-agent @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index d8ea92d1f..a5a4c8ce2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -21,7 +21,7 @@ profile gvfsd-mtp @{exec_path} { @{exec_path} mr, - owner @{HOME}/{,**} rw, + owner @{HOME}/{,**} rw, # FIXME: ? owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ab2ea4677..9509d3184 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -36,7 +36,7 @@ profile gvfsd-recent @{exec_path} { @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} rw, + owner @{HOME}/{,**} rw, # FIXME: ? owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index db870bd82..227f4e062 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -40,6 +40,7 @@ profile DiscoverNotifier @{exec_path} { /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, + /var/cache/swcatalog/xml/{,**} r, owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/** rw, @@ -58,6 +59,8 @@ profile DiscoverNotifier @{exec_path} { owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw, owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/tty r, profile gpg { diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index c1a63931e..d1e48f849 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -25,6 +25,8 @@ profile gmenudbusmenuproxy @{exec_path} { owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + include if exists } diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index daf880cf9..471812c7c 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/kalendarac profile kalendarac @{exec_path} { include - include + include include include include @@ -36,6 +36,8 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 960747c21..09ebb0d7c 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -36,6 +36,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{HOME}/ r, + owner @{user_cache_dirs}/ddcutil/* r, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, @@ -63,7 +64,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, @{sys}/devices/platform/**/i2c-@{int}/**/name r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e0cc7f5b3..422fc103c 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -59,7 +59,7 @@ profile kded @{exec_path} { @{bin}/xsettingsd rPx, @{lib}/drkonqi rPx, - #aa:exec utempter + @{lib}/{,@{multiarch}/}utempter/utempter rPx, #aa:exec kconf_update /usr/share/color-schemes/{,**} r, @@ -123,8 +123,7 @@ profile kded @{exec_path} { owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/networkmanagement.notifyrc r, - owner @{user_config_dirs}/plasma-nm r, - owner @{user_config_dirs}/plasma-welcomerc r, + owner @{user_config_dirs}/plasma* r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, @@ -151,6 +150,8 @@ profile kded @{exec_path} { owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, + @{sys}/class/leds/ r, + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 1995838c1..f71f9734c 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -19,6 +19,7 @@ profile kglobalacceld @{exec_path} { /etc/machine-id r, /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/ksycoca{5,6}_* rw, @@ -29,6 +30,8 @@ profile kglobalacceld @{exec_path} { owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, + @{PROC}/sys/kernel/random/boot_id r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 7462d6c5b..5b6c7184a 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -13,6 +13,7 @@ profile kiod @{exec_path} { include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 054731148..3151156a7 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -26,7 +26,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/@{shells} rUx, @{browsers_path} rPx, - #aa:exec utempter + @{lib}/libheif/ r, + @{lib}/libheif/** mr, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, /usr/share/color-schemes/{,**} r, /usr/share/kf6/{,**} r, @@ -47,12 +49,15 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kbookmarkrc r, + owner @{user_config_dirs}/konsole.notifyrc r, owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/session/** rwlk, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, @@ -62,6 +67,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 1884414a9..bd1666a06 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/plasmashellrc r, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index b7e1858da..858bc4b9a 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -52,6 +52,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, @@ -62,6 +63,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/iceauth_@{rand6}-c w, + owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c, + owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw, + owner @{tmp}/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 5005dde31..2b2545b33 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -43,6 +43,8 @@ profile kwalletd @{exec_path} { owner @{tmp}/kwalletd5.* rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index c987a4759..432c49ac3 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -10,6 +10,7 @@ include profile plasma_waitforname @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 9a21b9dff..fe79dccd7 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -178,6 +178,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @@ -187,9 +188,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{sys}/devices/platform/** r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/thermal/**/{name,type} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{PROC}/ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f249d911e..dba650f2c 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -49,6 +49,8 @@ profile sddm-greeter @{exec_path} { owner @{SDDM_HOME}/#@{int} mrw, owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, + owner @{HOME}/.face.icon r, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e575f3bb2..149df7695 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -22,6 +22,7 @@ profile startplasma @{exec_path} { @{bin}/env rix, @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, + @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index a4474a64a..57e32b960 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -20,6 +20,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 1f3d9ad8b..ab08d1f18 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -118,6 +118,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/** rwlk -> /var/**, # Read packages files + @{user_pkg_dirs}/ r, @{user_pkg_dirs}/**/ r, @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @@ -193,6 +194,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + signal send set=cont peer=child-pager, + @{bin}/pager rPx -> child-pager, @{bin}/less rPx -> child-pager, @{bin}/more rPx -> child-pager, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 376749d9e..3fbbfc51f 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -131,6 +131,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/edk2*/{,**} rk, /usr/share/hwdata/* r, + /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 1a3ecb06b..b06ad67f1 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -24,6 +24,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw, owner @{run}/user/@{uid}/common/system.token rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd* w, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 50b8e4889..a39c04504 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -62,6 +62,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index c2eb97c30..ae72f8dbc 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index ea2842a74..8a625b547 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/amixer profile amixer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 947245d2a..5568b9e15 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -38,6 +38,7 @@ profile atool @{exec_path} { @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, + @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -47,6 +48,9 @@ profile atool @{exec_path} { @{bin}/xz rix, @{bin}/zip rix, + /etc/atool.conf r, + owner @{HOME}/.atoolrc r, + include if exists } diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 107330419..6a8eff043 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -21,6 +21,9 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, + @{exec_path} r, @{bin}/ r, @@ -107,6 +110,9 @@ profile borg @{exec_path} { /etc/fuse.conf r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + @{PROC}/@{pids}/mounts r, /dev/fuse rw, diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 5aa5c5ed2..490afddb2 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -12,6 +12,8 @@ include profile chronyd @{exec_path} flags=(attach_disconnected) { include include + include + include capability chown, capability dac_override, diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino similarity index 50% rename from apparmor.d/profiles-a-f/dino-im rename to apparmor.d/profiles-a-f/dino index 07fba44a5..dad921850 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino @@ -7,13 +7,17 @@ abi , include -@{exec_path} = @{bin}/dino-im -profile dino-im @{exec_path} { +@{exec_path} = @{bin}/dino{,-im} +profile dino @{exec_path} flags=(attach_disconnected) { include + include include include include + include + include include + include include network inet dgram, @@ -24,30 +28,26 @@ profile dino-im @{exec_path} { @{exec_path} mr, - # Needed for GPG/PGP support - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + # Not in a subprofile because of no new privs + @{bin}/gpg{,2} rix, + @{bin}/gpgconf rix, + @{bin}/gpgsm rix, + @{lib}/gnupg/keyboxd rix, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/S.keyboxd rw, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, - profile gpg { - include - - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - - owner @{HOME}/.gnupg/ rw, - owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, - - include if exists - } - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 6dcd5cbb8..819cd234e 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -24,7 +24,7 @@ profile dmesg @{exec_path} { /usr/share/terminfo/** r, - owner @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/pid_max r, /dev/kmsg r, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 78fa87937..86077c89b 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -75,8 +75,7 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, - /tmp/ r, - owner @{tmp}/** rw, + /tmp/ r, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool index 23aac34d4..9db5d83ea 100644 --- a/apparmor.d/profiles-a-f/exiftool +++ b/apparmor.d/profiles-a-f/exiftool @@ -11,6 +11,7 @@ profile exiftool @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index d32790f0b..e450c78cd 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -44,9 +44,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /usr/local/lib/python3.@{int}/dist-packages/ r, - /usr/share/libalternatives/ r, - /usr/share/libalternatives/ebtables*/{,*} r, - /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, + /usr/share/iproute2/{,**} r, + /usr/share/libalternatives/{,**} r, /etc/firewalld/{,**} rw, /etc/iproute2/group r, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 83be5477c..87e9b443d 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -89,6 +89,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/flatpak/app/** rw, owner @{run}/flatpak/doc/** rw, owner @{run}/ld-so-cache-dir/* rw, + owner @{run}/user/ r, owner @{run}/user/@{uid}/*.kioworker.socket r, owner @{run}/user/@{uid}/#@{int} rwl, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index ba37f7bcc..2c0eb2fac 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -43,6 +43,7 @@ profile git @{exec_path} flags=(attach_disconnected) { # These are needed for "git submodule update" @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/alts rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/date rix, @@ -78,6 +79,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/vim.* rCx -> editor, /usr/share/git{,-core}/{,**} r, + /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, /etc/gitconfig r, @@ -139,14 +141,15 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, - /etc/ssh/ssh_config.d/{,*} r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, + @{etc_ro}/ssh/ssh_config r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, - owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, + owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index d06991025..7e8faecfa 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -89,7 +89,7 @@ profile htop @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 00600b72b..57de7cab8 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -21,6 +21,7 @@ profile issue-generator @{exec_path} { @{bin}/sort rix, /etc/issue.d/{,**} r, + /etc/sysconfig/issue-generator r, @{run}/issue r, @{run}/issue.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 29125f192..3798332ea 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -28,9 +28,10 @@ profile modprobed-db @{exec_path} { @{bin}/uniq rix, @{bin}/wc rix, + /usr/share/modprobed-db/** r, /usr/share/terminfo/** r, - owner @{user_config_dirs}/modprobed-db.conf r, + owner @{user_config_dirs}/modprobed-db.conf rw, owner @{user_config_dirs}/modprobed.db rw, owner @{tmp}/.inmem rw, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index cb220a7b6..38cbecd71 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -95,7 +95,7 @@ profile monitorix @{exec_path} { @{PROC}/@{pids}/io r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 1629176dd..88a5078aa 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/mpv profile mpv @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index db29113ce..46e10927b 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -9,9 +9,11 @@ include @{exec_path} = /opt/Mullvad*/resources/mullvad-setup profile mullvad-setup @{exec_path} { include + include @{exec_path} mr, + @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, # File Inherit diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 947350b8a..1763bd96f 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -10,40 +10,23 @@ include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include - include include - include - include - include - include + include + include include include - include - include - include @{exec_path} mr, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, + /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 911519459..e72a6a5c6 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -55,7 +55,6 @@ profile qnapi @{exec_path} { /tmp/ r, owner @{tmp}/@{hex}.* rw, - owner @{tmp}/** rw, owner @{tmp}/#@{int} rw, owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, owner @{tmp}/QNapi-*-rc.lock rwk, diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 418167345..5d773292d 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -14,11 +14,16 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted include include include + include include + include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink dgram, + network netlink raw, @{exec_path} mr, @@ -31,6 +36,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, + owner @{user_books_dirs}/**/None rw, owner @{user_cache_dirs}/YACReader/ rw, owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw, @@ -43,7 +49,10 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{tmp}/@{uuid} w, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index aadad6860..755efba9b 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -27,8 +27,6 @@ profile sanoid @{exec_path} flags=(complain) { @{run}/sanoid/sanoid_cacheupdate.lock rwk, @{run}/sanoid/sanoid_pruning.lock rwk, - owner @{tmp}/** rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 5eececb0b..18e4c135f 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index 49a668996..95eec5abc 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -29,6 +29,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { network unix stream, signal receive peer=steam, + unix, @{exec_path} mr, @{bin}/bwrap mrix, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index 077e6cf8b..d6680ac61 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -23,7 +23,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - network unix stream, + + unix, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index c90665cdf..ba3e774e6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - owner @{tmp}/** rw, - @{PROC}/@{pids}/maps r, include if exists diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index ab36047f2..f929adcae 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -46,8 +46,6 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{tmp}/* rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission similarity index 88% rename from apparmor.d/profiles-s-z/transmission-gtk rename to apparmor.d/profiles-s-z/transmission index 40586fa03..07aca1890 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{bin}/transmission-gtk -profile transmission-gtk @{exec_path} { +@{exec_path} = @{bin}/transmission-{gtk,qt} +profile transmission @{exec_path} { include include include @@ -33,10 +33,11 @@ profile transmission-gtk @{exec_path} { owner @{user_config_dirs}/transmission/ rw, owner @{user_config_dirs}/transmission/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/** rwk, + owner @{tmp}/tr_session_id_* rwk, + @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, @@ -48,7 +49,7 @@ profile transmission-gtk @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt deleted file mode 100644 index bbfe5bff4..000000000 --- a/apparmor.d/profiles-s-z/transmission-qt +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/transmission-qt -profile transmission-qt @{exec_path} { - include - include - include - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - @{exec_path} mr, - - # Torrent files - owner @{user_torrents_dirs}/ r, - owner @{user_torrents_dirs}/** rw, - - owner @{user_config_dirs}/transmission/ rw, - owner @{user_config_dirs}/transmission/** rwk, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/transmission/ rw, - owner @{user_cache_dirs}/transmission/** rwk, - - owner @{tmp}/tr_session_id_* rwk, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/net/route r, - @{PROC}/sys/kernel/random/uuid r, - - /usr/share/hwdata/pnp.ids r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt new file mode 100644 index 000000000..148d28957 --- /dev/null +++ b/apparmor.d/profiles-s-z/veracrypt @@ -0,0 +1,96 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/veracrypt +profile veracrypt @{exec_path} { + include + include + include + include + include + include + include + include + + capability chown, + capability dac_read_search, + capability fsetid, + capability sys_admin, + capability sys_ptrace, + + mount fstype=fuse.veracrypt options=(rw nodev nosuid) veracrypt -> /tmp/.veracrypt_*/, + + @{exec_path} mrix, + + @{sh_path} rix, + @{open_path} rPx -> child-open-help, + @{bin}/dmsetup rPx, + @{bin}/grep rix, + @{bin}/kmod rix, + @{bin}/ldconfig rix, + @{bin}/losetup rCx -> losetup, + @{bin}/mount rPx, + @{bin}/sudo rix, + @{bin}/umount rCx -> umount, + @{bin}/wc rix, + @{file_explorers_path} rPx, + + /home/ r, + + # Mount points + @{MOUNTS}/ rw, + @{MOUNTS}/*/ rw, + + owner @{HOME}/ r, + owner @{HOME}/.VeraCrypt-lock-@{user} rwk, + + owner @{user_config_dirs}/VeraCrypt/ rw, + owner @{user_config_dirs}/VeraCrypt/** rwk, + + /tmp/.veracrypt_*/ rw, + /tmp/.veracrypt_*/** rwk, + + @{sys}/module/compression r, + @{sys}/module/dm_mod/initstate r, + + @{PROC}/partitions r, + owner @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + /dev/tty rw, + + profile umount { + include + + capability sys_admin, + + umount /tmp/.veracrypt_*/, + umount @{MOUNTS}/{,*/}, + + @{bin}/umount mr, + + owner @{run}/mount/utab r, + + include if exists + } + + profile losetup { + include + include + + capability sys_rawio, + + @{bin}/losetup mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index d5116b043..e6cd61581 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -9,7 +9,8 @@ include @{exec_path} = @{bin}/waybar profile waybar @{exec_path} flags=(attach_disconnected) { include - include + include + include include include include diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index b055fe31b..d45ad5f1e 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/zathura +@{exec_path} = @{bin}/zathura{,-sandbox} profile zathura @{exec_path} { include include @@ -18,11 +18,13 @@ profile zathura @{exec_path} { @{exec_path} mr, /usr/share/file/{,**} r, + /usr/share/poppler/{,**} r, /etc/xdg/{,**} r, /etc/zathurarc r, owner @{user_config_dirs}/zathura/** r, + owner @{user_share_dirs}/zathura/ r, owner @{user_share_dirs}/zathura/** rwk, owner @{tmp}/gtkprint* rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index f2e7c2563..aaebe5ed1 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -35,6 +35,7 @@ @{hex8}=@{hex4}@{hex4} @{hex9}=@{hex8}@{h} @{hex10}=@{hex8}@{hex2} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} @{hex16}=@{hex8}@{hex8} @{hex32}=@{hex16}@{hex16} @{hex38}=@{hex32}@{hex6} @@ -47,6 +48,7 @@ @{rand8}=@{rand4}@{rand4} @{rand9}=@{rand8}@{c} @{rand10}=@{rand8}@{rand2} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} @{rand16}=@{rand8}@{rand8} @{rand32}=@{rand16}@{rand16} @{rand64}=@{rand64}@{rand64} diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 8fa7cce66..ec64e8cfd 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -199,7 +199,7 @@ func main() { case format: files, err = pathsFromArgs() if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } err = aaFormat(files) case tree: @@ -207,6 +207,6 @@ func main() { } if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } } diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index c39d4cbbd..d909cc818 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -91,6 +91,6 @@ func main() { os.Exit(0) } if err := aaPrebuild(); err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 57862b8ce..f37e7f991 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -87,6 +87,7 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +dino attach_disconnected,complain DiscoverNotifier complain dkms attach_disconnected,complain dockerd attach_disconnected,complain @@ -368,6 +369,7 @@ systemd-userwork attach_disconnected,complain systemsettings complain totem attach_disconnected,complain tracker-writeback complain +transmission complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain @@ -375,6 +377,7 @@ update-grub complain update-secureboot-policy complain userdbctl complain utempter attach_disconnected,complain +veracrypt complain virt-manager attach_disconnected,complain virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected diff --git a/dists/overwrite b/dists/overwrite index bea6d574b..ec35b79cd 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -5,6 +5,7 @@ brave chrome +chromium element-desktop epiphany firefox @@ -18,5 +19,6 @@ plasmashell slirp4netns systemd-coredump thunderbird +transmission unix-chkpwd virtiofsd diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 82c7f4b04..1e075e66c 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -122,6 +122,15 @@ A minimal set of rules for all electron based UI applications. It works as a *fu @{cache_dirs} = @{user_cache_dirs}/@{name} ``` +### **`common/game`** + +Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. + +This abstraction uses the following tunables: + +- `@{XDG_GAMESSTUDIO_DIR}` for game studio and game engines specific directories (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`) +- `@{user_games_dirs}` for user specific game directories (e.g.: steam storage dir) + ### **`common/systemd`** Common set of rules for internal systemd suite. diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index e6c91ac93..7f5af2e08 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -37,7 +37,7 @@ func Print(msg string, a ...interface{}) int { // Println prints a formatted message. Arguments are handled in the manner of fmt.Println. func Println(msg string) int { - n, _ := fmt.Fprintf(os.Stdout, msg+"\n") + n, _ := fmt.Fprintf(os.Stdout, "%s\n", msg) return n } @@ -48,7 +48,7 @@ func Bulletf(msg string, a ...interface{}) string { // Bullet prints a formatted bullet point string func Bullet(msg string, a ...interface{}) int { - return Print(Bulletf(msg, a...)) + return Print("%s", Bulletf(msg, a...)) } // Stepf returns a formatted step string @@ -58,7 +58,7 @@ func Stepf(msg string, a ...interface{}) string { // Step prints a step title func Step(msg string, a ...interface{}) int { - return Print(Stepf(msg, a...)) + return Print("%s", Stepf(msg, a...)) } // Successf returns a formatted success string @@ -68,7 +68,7 @@ func Successf(msg string, a ...interface{}) string { // Success prints a formatted success message to stdout func Success(msg string, a ...interface{}) int { - return Print(Successf(msg, a...)) + return Print("%s", Successf(msg, a...)) } // Warningf returns a formatted warning string @@ -78,12 +78,12 @@ func Warningf(msg string, a ...interface{}) string { // Warning prints a formatted warning message to stdout func Warning(msg string, a ...interface{}) int { - return Print(Warningf(msg, a...)) + return Print("%s", Warningf(msg, a...)) } // Fatalf returns a formatted error message func Error(msg string, a ...interface{}) int { - return Print(fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) + return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) } // Fatalf returns a formatted error message diff --git a/pkg/logging/logging_test.go b/pkg/logging/logging_test.go index ebfe48afd..eb912595e 100644 --- a/pkg/logging/logging_test.go +++ b/pkg/logging/logging_test.go @@ -10,7 +10,7 @@ func TestPrint(t *testing.T) { msg := "Print message" wantN := 13 - gotN := Print(msg) + gotN := Print("%s", msg) if gotN != wantN { t.Errorf("Print() = %v, want %v", gotN, wantN) } @@ -28,7 +28,7 @@ func TestPrintln(t *testing.T) { func TestBulletf(t *testing.T) { msg := "Bullet message" want := "\033[1m ⋅ \033[0mBullet message\n" - if got := Bulletf(msg); got != want { + if got := Bulletf("%s", msg); got != want { t.Errorf("Bulletf() = %v, want %v", got, want) } } @@ -36,7 +36,7 @@ func TestBulletf(t *testing.T) { func TestBullet(t *testing.T) { msg := "Bullet message" wantN := 28 - gotN := Bullet(msg) + gotN := Bullet("%s", msg) if gotN != wantN { t.Errorf("Bullet() = %v, want %v", gotN, wantN) } @@ -45,7 +45,7 @@ func TestBullet(t *testing.T) { func TestStepf(t *testing.T) { msg := "Step message" want := "\033[1;32mStep message\033[0m\n" - if got := Stepf(msg); got != want { + if got := Stepf("%s", msg); got != want { t.Errorf("Stepf() = %v, want %v", got, want) } } @@ -53,7 +53,7 @@ func TestStepf(t *testing.T) { func TestStep(t *testing.T) { msg := "Step message" wantN := 24 - gotN := Step(msg) + gotN := Step("%s", msg) if gotN != wantN { t.Errorf("Step() = %v, want %v", gotN, wantN) } @@ -62,7 +62,7 @@ func TestStep(t *testing.T) { func TestSuccessf(t *testing.T) { msg := "Success message" want := "\033[1;32m ✓ \033[0mSuccess message\n" - if got := Successf(msg); got != want { + if got := Successf("%s", msg); got != want { t.Errorf("Successf() = %v, want %v", got, want) } } @@ -70,7 +70,7 @@ func TestSuccessf(t *testing.T) { func TestSuccess(t *testing.T) { msg := "Success message" wantN := 32 - gotN := Success(msg) + gotN := Success("%s", msg) if gotN != wantN { t.Errorf("Success() = %v, want %v", gotN, wantN) } @@ -79,7 +79,7 @@ func TestSuccess(t *testing.T) { func TestWarningf(t *testing.T) { msg := "Warning message" want := "\033[1;33m ‼ \033[0mWarning message\n" - if got := Warningf(msg); got != want { + if got := Warningf("%s", msg); got != want { t.Errorf("Warningf() = %v, want %v", got, want) } } @@ -87,7 +87,7 @@ func TestWarningf(t *testing.T) { func TestWarning(t *testing.T) { msg := "Warning message" wantN := 32 - gotN := Warning(msg) + gotN := Warning("%s", msg) if gotN != wantN { t.Errorf("Warning() = %v, want %v", gotN, wantN) } @@ -96,7 +96,7 @@ func TestWarning(t *testing.T) { func TestError(t *testing.T) { msg := "Error message" wantN := 30 - gotN := Error(msg) + gotN := Error("%s", msg) if gotN != wantN { t.Errorf("Error() = %v, want %v", gotN, wantN) } @@ -105,7 +105,7 @@ func TestError(t *testing.T) { func TestFatalf(t *testing.T) { msg := "Error message" want := "\033[1;31m ✗ Error: \033[0mError message\n" - if got := Fatalf(msg); got != want { + if got := Fatalf("%s", msg); got != want { t.Errorf("Fatalf() = %v, want %v", got, want) } } diff --git a/tests/cmd/main.go b/tests/cmd/main.go index de1d27561..057994f86 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -197,6 +197,6 @@ func main() { os.Exit(1) } if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } } diff --git a/tests/integration/scenario.go b/tests/integration/scenario.go index 53758fb42..94e9a728f 100644 --- a/tests/integration/scenario.go +++ b/tests/integration/scenario.go @@ -102,13 +102,13 @@ func (t *Test) Run(dryRun bool) (ran int, nb int, err error) { if !strings.Contains(cmd, "{{") { nb++ if dryRun { - logging.Bullet(cmd) + logging.Bullet("%s", cmd) } else { cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n")) if cmdErr != nil { logging.Error("%v", cmdErr) } else { - logging.Success(cmd) + logging.Success("%s", cmd) } } }