From a1ba00bec3e964e11cae0dd94346f8aebdffc188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 23:00:13 +0200 Subject: [PATCH] feat(profile): general profile update. --- apparmor.d/groups/apparmor/apparmor_parser | 4 ++-- apparmor.d/groups/apt/debconf-frontend | 4 +++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/bluetooth/obexd | 5 +++++ apparmor.d/groups/cron/anacron | 3 +++ apparmor.d/groups/cups/cups-browsed | 4 +++- apparmor.d/groups/flatpak/flatpak | 3 +++ apparmor.d/groups/flatpak/flatpak-system-helper | 8 +++++++- apparmor.d/groups/freedesktop/wireplumber | 8 +++++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 13 +++++++++++++ apparmor.d/groups/gnome/gdm-session | 11 ++++++----- apparmor.d/groups/gnome/gnome-calculator | 1 + apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-session-binary | 5 +++-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 5 +++-- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-usb-protection | 1 + apparmor.d/groups/gnome/gsd-wwan | 7 +++++++ apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/ssh/sshd | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 +++ apparmor.d/groups/systemd/systemd-detect-virt | 3 +++ apparmor.d/groups/systemd/systemd-remount-fs | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 8 ++++++++ apparmor.d/groups/systemd/zram-generator | 8 ++++++-- apparmor.d/groups/ubuntu/apport-gtk | 1 + apparmor.d/groups/utils/who | 2 +- apparmor.d/profiles-a-f/finalrd | 1 + apparmor.d/profiles-g-l/gsettings | 1 - apparmor.d/profiles-g-l/issue-generator | 3 ++- apparmor.d/profiles-m-r/mimetype | 2 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/update-info-dir | 3 ++- apparmor.d/profiles-s-z/wsdd | 8 +++++++- apparmor.d/profiles-s-z/xournalpp | 2 +- 43 files changed, 121 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 0a9f9fcaf..a5769931c 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - deny /apparmor/.null rw, + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 4660755d6..6e80839fe 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # debconf apps + # Debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, + /etc/libpaper.d/texlive-base rPUx, + /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 7d2073768..8ae76e706 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, + /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 65ad4c0e5..3ea17a4e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,6 +25,11 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3756c1d03..3acfc14fd 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,6 +28,7 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +40,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index a7773a57f..7330d67c9 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} { /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c540b9db8..e73408a0a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0ca01d01d..cdfef1bad 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} { ptrace read, + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), + #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper @{exec_path} mr, @@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7aff8bdd2..aefdc339d 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -47,8 +47,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -81,8 +81,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 89acacd34..21c99827b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index fcafbda5f..a0fb366ab 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} { include include include + include + include network netlink raw, @@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 9a42bcdf1..c08d12a07 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -14,11 +14,12 @@ profile gdm-session @{exec_path} { include include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..4e83bfb76 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -10,6 +10,7 @@ include profile gnome-calculator @{exec_path} { include include + include include # Needed to get currency exchange rates diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fde43420a..111facf64 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 1f29958d1..7bcf80431 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,7 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index b011935ae..f4c61c5c6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 6ddbd4b4c..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e4ac12011..8bcb629a9 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index c399eadc7..5c8ab7c8a 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35f43a93e..83fcbd7c6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 3bfffdb6a..7f03d9fc5 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b089..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2e21750b9..7618dc3b6 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=UserAdded + member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 838dc940c..b0239f404 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -12,6 +12,7 @@ profile ptyxis @{exec_path} { include include include + include unix type=stream peer=(label=ptyxis-agent), diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 2307c709f..0965396ab 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 4937f6875..ef14d9ca9 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -112,6 +112,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 40cf0bca2..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sbin}/sshd.hmac r, + @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index db1854f1f..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b78b7c04..ca6eae3ad 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { /dev/cpu/@{int}/msr r, + deny capability net_admin, + deny capability perfmon, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 96b182e5f..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - /etc/blkid.conf r, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 640e48f3f..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 473848ef3..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod { + profile kmod flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 3d2cbd63d..d7480a212 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d951bfe03..d9ca9e164 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index b22730a27..7ce69ab64 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include + include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 2e0eb2cf7..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,7 +16,6 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 7783c8005..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -30,7 +31,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 1576050b5..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index d91285558..001f8605a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 9c686b19d..453e0093a 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,6 +14,7 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index fe06b32af..dc2a0d7aa 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/install-info Px, + @{bin}/cp ix, @{bin}/find ix, + @{bin}/install-info Px, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index fc6955793..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -28,7 +33,8 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 6442fe8b9..0d6c4d65f 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + /dev/snd/pcmC@{int}D@{int}[cp] w, include if exists }