diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index e5e75be79..dcf31faa6 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -17,34 +17,26 @@ profile ssh-agent @{exec_path} { @{exec_path} mr, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, - - # When SSH agent is not used with GPG + /{usr/,}bin/enlightenment_start rPUx, + /{usr/,}bin/gpg-agent rPx, + /{usr/,}bin/kwalletaskpass rPUx, /{usr/,}bin/openbox-session rPx, /{usr/,}bin/startkde rPUx, /{usr/,}bin/sway rPUx, - /{usr/,}bin/enlightenment_start rPUx, - # SSH keys owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, - # When started via systemd + owner /tmp/ssh-*/ rw, + owner /tmp/ssh-*/agent.* rw, + @{run}/user/@{uid}/openssh_agent rw, - - # askpass apps - #/{usr/,}lib/ssh/x11-ssh-askpass rPUx, - #/{usr/,}bin/ksshaskpass rPUx, - /{usr/,}bin/kwalletaskpass rPUx, - - # file_inherit - owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, - @{run}/user/@{uid}/keyring/.ssh rw, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w, + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 84e28831c..6ad0953a1 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -84,28 +84,28 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, - owner @{run}/sshd{,.init}.pid wl, + @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/resolvconf/resolv.conf r, @{run}/systemd/notify w, @{run}/systemd/sessions/*.ref rw, - @{run}/faillock/[a-zA-z0-9]* rwk, + owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, + @{PROC}/@{pids}/fd/ r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/ngroups_max r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_adj rw, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/uid_map r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/ngroups_max r, /dev/ptmx rw, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index bc2f70783..a93bee25d 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -21,12 +21,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{run}/binfmt.d/{,*.conf} r, /usr/lib/binfmt.d/{,*.conf} r, - owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/sys/fs/binfmt_misc/status w, @{PROC}/sys/fs/binfmt_misc/register w, + @{PROC}/sys/fs/binfmt_misc/status w, @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/stat r, deny /apparmor/.null rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 6a56b59ea..b203181f6 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -50,10 +50,10 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - owner @{run}/systemd/journal/socket w, @{run}/systemd/netif/links/* r, @{run}/systemd/notify rw, @{run}/systemd/resolve/{,**} rw, + owner @{run}/systemd/journal/socket w, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 766c37503..b22c43eeb 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -30,7 +30,7 @@ profile apport-gtk @{exec_path} { @{exec_path} mr, - @{libexec}/colord-sane rPx, + @{libexec}/{,colord/}colord-sane rPx, /{usr/,}{s,}bin/killall5 rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{f,}grep rix, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 6e714adab..ca932f48b 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -78,6 +78,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { signal (send) peer=dnsmasq, signal (send) set=(kill, term) peer=virtiofsd, signal (send) set=(term) peer=libvirtd//qemu_bridge_helper, + signal (send) set=(term) peer=swtpm, unix (send, receive) type=stream addr=none peer=(label=libvirt-@{uuid}), unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index c7282d1ab..28ae2ebd1 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -210,6 +210,7 @@ profile steam @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/hidraw[0-9]* rw, /dev/input/ r, /dev/input/event[0-9]* r, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 6e91ddd81..8b839a40c 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -94,10 +94,12 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/Steam/bin/ r, @{user_share_dirs}/Steam/bin/* mr, + @{user_share_dirs}/Steam/d3ddriverquery64.dxvk-cache rw, @{user_share_dirs}/Steam/legacycompat/ r, @{user_share_dirs}/Steam/legacycompat/** mr, @{user_share_dirs}/Steam/linux{32,64}/ r, @{user_share_dirs}/Steam/linux{32,64}/**.so* mr, + @{user_share_dirs}/Steam/standalone_installscript_progress_[0-9]*.vdf rw, @{user_share_dirs}/Steam/steamapps/common/*/* mr, @{user_share_dirs}/Steam/steamapps/common/Proton*/ r, @{user_share_dirs}/Steam/steamapps/common/Proton*/files/bin/* mrix, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index e5e0dccf4..07661d611 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -36,7 +36,7 @@ profile steam-gameoverlayui @{exec_path} { owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw, owner @{user_share_dirs}/Steam/public/* rk, owner @{user_share_dirs}/Steam/resource/{,**} rk, - owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rw, + owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rwl, owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index a03431bcd..387aca977 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -64,18 +64,19 @@ profile sudo @{exec_path} { /var/db/sudo/lectured/ r, /var/lib/sudo/lectured/ r, + /var/lib/sudo/ts/ rw, + /var/lib/sudo/ts/* rwk, /var/log/sudo.log wk, owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw, owner @{HOME}/.xsession-errors w, - # For timestampdir + @{run}/faillock/{,*} rwk, + @{run}/resolvconf/resolv.conf r, owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, - @{run}/faillock/{,*} rwk, - @{run}/resolvconf/resolv.conf r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/fd/ r, @@ -83,9 +84,9 @@ profile sudo @{exec_path} { @{PROC}/1/limits r, @{PROC}/sys/kernel/seccomp/actions_avail r, - owner /dev/tty[0-9]* rw, /dev/ r, # interactive login /dev/ptmx rw, + owner /dev/tty[0-9]* rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 806b4e142..37fe95662 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -11,6 +11,8 @@ profile swtpm @{exec_path} { include include + signal (receive) set=(term) peer=libvirtd, + @{exec_path} mr, /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk,