feat(profile): general profile update.

2025-08-31 23:00:13 +02:00 · 2025-08-31 23:00:13 +02:00 · a1ba00bec3
commit a1ba00bec3
parent 7cfff26ee2
43 changed files with 121 additions and 30 deletions
--- a/apparmor.d/groups/apparmor/apparmor_parser
+++ b/apparmor.d/groups/apparmor/apparmor_parser
@ -6,7 +6,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
+@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib}

@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
 profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/mounts r,

  deny network netlink raw, # file_inherit
-  deny /apparmor/.null rw,
+  /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad?

  include if exists <local/apparmor_parser>
 }
--- a/apparmor.d/groups/apt/debconf-frontend
+++ b/apparmor.d/groups/apt/debconf-frontend
@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
  @{bin}/stty                       ix,
  @{sbin}/update-secureboot-policy  Px,

-  # debconf apps
+  # Debconf apps
  @{bin}/adequate                     Px,
  @{bin}/debconf-apt-progress         Px,
  @{bin}/linux-check-removal          Px,
@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) {
  @{lib}/dkms/dkms-*                 rPUx,
  @{lib}/dkms/dkms_*                 rPUx,

+  /etc/libpaper.d/texlive-base rPUx,
+
  /usr/share/debconf/{,**} r,

  /etc/inputrc r,
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} {
  @{run}/** rw,
  @{efi}/grub/* rw,

+  /tmp/fmtutil.@{rand8} rw,
  /tmp/grub.@{rand10} rw,
  /tmp/sed@{rand6} rw,
  /tmp/tmp.@{rand10} rw,
--- a/apparmor.d/groups/bluetooth/obexd
+++ b/apparmor.d/groups/bluetooth/obexd
@ -25,6 +25,11 @@ profile obexd @{exec_path} {
       member=Release
       peer=(name=:*, label="@{p_bluetoothd}"),

+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
  @{exec_path} mr,

  owner @{user_cache_dirs}/ rw,
--- a/apparmor.d/groups/cron/anacron
+++ b/apparmor.d/groups/cron/anacron
@ -28,6 +28,7 @@ profile anacron @{exec_path} {

  @{tmp}/file@{rand6} rw,
  /tmp/anacron-@{rand6} rw,
+  /tmp/anacron-@{rand6}@{c} rw,

  profile run-parts {
    include <abstractions/base>
@ -39,7 +40,9 @@ profile anacron @{exec_path} {

    owner @{tmp}/#@{int} rw,
    owner @{tmp}/file@{rand6} rw,
+
    /tmp/anacron-@{rand6} rw,
+    /tmp/anacron-@{rand6}@{c} rw,

    include if exists <local/anacron_run-parts>
  }
--- a/apparmor.d/groups/cups/cups-browsed
+++ b/apparmor.d/groups/cups/cups-browsed
@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} {

  /etc/cups/{,**} r,

-  /var/cache/cups/{,**} rw,
  /var/log/cups/{,**} rw,

+        /var/cache/cups/{,**} rw,
+  owner /var/cache/cups-browsed/{,**} rw,
+
  owner @{tmp}/@{hex} rw,

  @{run}/cups/certs/* r,
--- a/apparmor.d/groups/flatpak/flatpak
+++ b/apparmor.d/groups/flatpak/flatpak
@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain

    capability setuid,

+    unix type=seqpacket peer=(label=flatpak-system-helper),
+    unix type=stream    peer=(label=flatpak),
+
    mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
    umount /var/tmp/flatpak-cache-*/*/,

--- a/apparmor.d/groups/flatpak/flatpak-system-helper
+++ b/apparmor.d/groups/flatpak/flatpak-system-helper
@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} {

  ptrace read,

+  unix type=seqpacket peer=(label=dbus-system),
+  unix type=seqpacket peer=(label=flatpak),
+  unix type=seqpacket peer=(label=flatpak//fusermount),
+  unix type=seqpacket peer=(label=unconfined),
+
  #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper

  @{exec_path} mr,
@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} {
  @{tmp}/remote-summary-sig.@{rand6} r,
  @{tmp}/remote-summary.@{rand6} r,

-        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/status r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,

--- a/apparmor.d/groups/freedesktop/wireplumber
+++ b/apparmor.d/groups/freedesktop/wireplumber
@ -47,8 +47,8 @@ profile wireplumber @{exec_path} {
  /usr/share/wireplumber/{,**} r,

  owner @{desktop_local_dirs}/ w,
-  owner @{desktop_local_dirs}/state/ w,
-  owner @{desktop_local_dirs}/state/wireplumber/{,**} rw,
+  owner @{desktop_state_dirs}/ w,
+  owner @{desktop_state_dirs}/wireplumber/{,**} rw,

  owner @{HOME}/.local/ w,
  owner @{user_state_dirs}/ w,
@ -81,8 +81,10 @@ profile wireplumber @{exec_path} {
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,

-        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/1/cgroup r,
+        @{PROC}/1/status r,
        @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/media@{int} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {

  @{bin}/kreadconfig{,5}                  rPx,
  @{lib}/xdg-desktop-portal-validate-icon rPx,
-  @{open_path}                            rPx -> child-open,
+  @{open_path}                           mrPx -> child-open,

        / r,
  @{att}/.flatpak-info r,
--- a/apparmor.d/groups/gnome/deja-dup-monitor
+++ b/apparmor.d/groups/gnome/deja-dup-monitor
@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} {
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gschemas>
+  include <abstractions/nameservice-strict>
+  include <abstractions/notifications>

  network netlink raw,

@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} {
       member=GetAll
       peer=(name=@{busname}, label=power-profiles-daemon),

+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
  @{exec_path} mr,

  @{bin}/chrt       rix,
  @{bin}/ionice     rix,
  @{bin}/deja-dup    Px,

+  /usr/share/gvfs/remote-volume-monitors/{,**} r,
+
  /var/tmp/ r,
  /tmp/ r,

+  @{run}/mount/utab r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
  include if exists <local/deja-dup-monitor>
 }

--- a/apparmor.d/groups/gnome/gdm-session
+++ b/apparmor.d/groups/gnome/gdm-session
@ -14,11 +14,12 @@ profile gdm-session @{exec_path} {
  include <abstractions/bus/org.gnome.DisplayManager>
  include <abstractions/bus/session/org.freedesktop.systemd1>

-  signal (receive) set=(hup term) peer=gdm-session-worker,
-  signal (receive) set=(term) peer=gdm,
-  signal (send)    set=(term) peer=dbus-session,
-  signal (send)    set=(term) peer=gnome-session-binary,
-  signal (send)    set=(term) peer=xorg,
+  signal receive set=(hup term) peer=gdm-session-worker,
+  signal receive set=(term) peer=gdm,
+  signal send    set=(term) peer=dbus-session,
+  signal send    set=(term) peer=gnome-session-binary,
+  signal send    set=(term) peer=xorg,
+  signal send    set=term   peer=gnome-session,

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/gnome/gnome-calculator
+++ b/apparmor.d/groups/gnome/gnome-calculator
@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-calculator @{exec_path} {
  include <abstractions/base>
  include <abstractions/common/gnome>
+  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  # Needed to get currency exchange rates
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/gnome-control-center/{,**} rw,
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
-  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
+  owner @{user_config_dirs}/mimeapps.list w,
+  owner @{user_config_dirs}/mimeapps.list.@{rand6} rw,
  owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,

  owner @{user_games_dirs}/**.png r,
--- a/apparmor.d/groups/gnome/gnome-session
+++ b/apparmor.d/groups/gnome/gnome-session
@ -9,7 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-session
 profile gnome-session @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-session>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network netlink raw,

-  signal (receive) set=(term, hup) peer=gdm*,
-  signal (send) set=(term) peer=gsd-*,
+  signal receive set=(term, hup) peer=gdm*,
+  signal send set=(term) peer=gsd-*,

  #aa:dbus own bus=session name=org.gnome.SessionManager
  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  @{etc_ro}/xdg/autostart/{,*.desktop} r,

  owner @{gdm_cache_dirs}/gdm/Xauthority r,
+  owner @{gdm_config_dirs}/ rw,
  owner @{gdm_config_dirs}/dconf/user rw,
  owner @{gdm_config_dirs}/gnome-session/ rw,
  owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>

  #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network netlink raw,

-  ptrace (read),
+  ptrace read,

-  signal (send) set=(kill term cont stop),
+  signal send set=(kill term cont stop),

  #aa:dbus own bus=session name=org.gnome.SystemMonitor

@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pids}/smaps r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/statm r,
+  @{PROC}/@{pids}/status r,
  @{PROC}/@{pids}/wchan r,
  @{PROC}/diskstats r,
  @{PROC}/vmstat r,
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} {
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/common/gnome>
  include <abstractions/enchant>
+  include <abstractions/nameservice-strict>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>

--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
+  include <abstractions/notifications>
  include <abstractions/thumbnails-cache-write>

  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-usb-protection
+++ b/apparmor.d/groups/gnome/gsd-usb-protection
@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/gschemas>
+  include <abstractions/screensaver>

  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection

--- a/apparmor.d/groups/gnome/gsd-wwan
+++ b/apparmor.d/groups/gnome/gsd-wwan
@ -10,10 +10,17 @@ include <tunables/global>
 profile gsd-wwan @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/dconf-write>
+  include <abstractions/gschemas>

  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan

+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
  @{exec_path} mr,

  include if exists <local/gsd-wwan>
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} {

  dbus receive bus=system path=/org/freedesktop/Accounts
       interface=org.freedesktop.Accounts
-       member=UserAdded
+       member={UserAdded,UserDeleted}
       peer=(name=@{busname}, label="@{p_accounts_daemon}"),

  dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
--- a/apparmor.d/groups/gnome/ptyxis
+++ b/apparmor.d/groups/gnome/ptyxis
@ -12,6 +12,7 @@ profile ptyxis @{exec_path} {
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/common/gnome>
  include <abstractions/consoles>
+  include <abstractions/notifications>

  unix type=stream peer=(label=ptyxis-agent),

--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} {
  @{exec_path} mr,

  @{bin}/apt-config          rPx,
+  @{bin}/plasma-discover     rPx,

  @{bin}/gpg{,2}             rCx -> gpg,
  @{bin}/gpgconf             rCx -> gpg,
--- a/apparmor.d/groups/procps/htop
+++ b/apparmor.d/groups/procps/htop
@ -112,6 +112,7 @@ profile htop @{exec_path} {
  @{PROC}/@{pids}/oom_score r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/statm r,
+  @{PROC}/@{pids}/status r,
  @{PROC}/@{pids}/wchan r,

  @{PROC}/@{pids}/task/ r,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mrix,

+  @{sbin}/sshd.hmac r,
+
  @{bin}/@{shells}                   Ux, #aa:exclude RBAC
  @{bin}/false                       ix,
  @{sbin}/nologin                    Px,
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
  @{att}/@{run}/systemd/coredump rw,
  @{run}/systemd/coredump rw,

+        @{PROC}/@{pids}/auxv r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/comm r,
@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pids}/fdinfo/@{int} r,
        @{PROC}/@{pids}/limits r,
+        @{PROC}/@{pids}/maps r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/@{pids}/ns/ r,
        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/status r,
  owner @{PROC}/@{pid}/setgroups r,

  include if exists <local/systemd-coredump>
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {

  /dev/cpu/@{int}/msr r,

+  deny capability net_admin,
+  deny capability perfmon,
+
  include if exists <local/systemd-detect-virt>
 }

--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) {

  @{bin}/mount rix,

-  /etc/blkid.conf r,
+  @{etc_ro}/blkid.conf r,
+  @{etc_ro}/blkid.conf.d/{,**} r,
  /etc/fstab r,

  @{run}/host/container-manager r,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/app/kmod>

+    capability sys_module,
+
+    @{sh_path} rix,
+    @{bin}/kmod ix,
+
+    @{sys}/module/*/initstate r,
+    @{sys}/module/compression r,
+
    include if exists <local/systemd-udevd_kmod>
  }

--- a/apparmor.d/groups/systemd/zram-generator
+++ b/apparmor.d/groups/systemd/zram-generator
@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/kmod                    rCx,
+  @{bin}/kmod                    rCx -> kmod,
  @{bin}/systemd-detect-virt     rPx,
  @{lib}/systemd/systemd-makefs  rPx,

@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) {

  owner /dev/pts/@{int} rw,

-  profile kmod {
+  profile kmod flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/app/kmod>

+    capability sys_module,
+
+    @{sys}/module/compression r,
+
    include if exists <local/zram-generator_kmod>
  }

--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} {
  include <abstractions/common/apt>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
+  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/utils/who
+++ b/apparmor.d/groups/utils/who
@ -7,7 +7,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/who
+@{exec_path} = @{bin}/{,gnu}who
 profile who @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>