diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 942e0a55b..8c4efc350 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -50,6 +50,9 @@ @{bin}/vlc rPUx, @{bin}/xbrlapi rPx, + #aa:only opensuse + @{lib}/YaST2/** rPUx, + include if exists diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index bf86f419c..9de4359e1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -100,6 +100,12 @@ owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon-@{int} r, + owner /dev/shm/org.chromium.@{rand6} rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, + @{run}/mount/utab r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -144,9 +150,6 @@ /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/tty@{int} rw, # File Inherit # Silencer diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 3e669f4dc..ed4f067a5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -13,8 +13,6 @@ @{system_share_dirs}/ r, @{system_share_dirs}/mime/ r, - /usr/share/mime/ r, - /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 8d62a6fbf..5223486d0 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -54,6 +54,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cmdline r, + /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 423df6a26..e5e382795 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -40,6 +40,7 @@ profile dbus-session flags=(attach_disconnected) { @{bin}/** PUx, @{lib}/** PUx, + @{user_share_dirs}/*/** PUx, /usr/share/*/** PUx, /etc/dbus-1/{,**} r, @@ -53,6 +54,8 @@ profile dbus-session flags=(attach_disconnected) { owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{user_share_dirs}/dbus-1/services/{,**} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 16e87a50d..815375f20 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -42,6 +42,7 @@ profile plymouthd @{exec_path} { /etc/vconsole.conf r, /var/lib/plymouth/{,**} rw, + /var/log/plymouth-*.log w, @{run}/plymouth/{,**} rw, diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut new file mode 100644 index 000000000..5e4e02b6f --- /dev/null +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default +profile gdm-defaut @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index d889a708a..da99a23db 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -34,21 +34,14 @@ profile gdm-session @{exec_path} { # only: xorg @{bin}/Xorg rPx, - /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Prime/Default rPx, /etc/gdm{3,}/Xsession rPx, /usr/share/gdm{3,}/gdm.schemas r, - /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, - /etc/locale.conf r, - /etc/sysconfig/console r, /etc/sysconfig/displaymanager r, - /etc/sysconfig/language r, - /etc/sysconfig/mail r, - /etc/sysconfig/proxy r, - /etc/sysconfig/windowmanager r, owner @{gdm_cache_dirs}/gdm/ rw, owner @{gdm_cache_dirs}/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c1802c0a5..7643844c5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -37,9 +37,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - dbus bus=session, - dbus bus=system, - #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell @@ -68,7 +65,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, @{bin}/usermod rPx, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-print-renderer rPx, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index d8c5a9cfe..1cef7f074 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -6,7 +6,10 @@ abi , include -@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}ding.js +@{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com + +@{exec_path} = @{share_dirs}/{,app/}ding.js profile gnome-extension-ding @{exec_path} { include include @@ -57,7 +60,7 @@ profile gnome-extension-ding @{exec_path} { @{bin}/gnome-control-center rPx, @{bin}/nautilus rPx, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}* r, + @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 5808aecad..3083c73f9 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -6,8 +6,8 @@ abi , include -@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/ -@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/ +@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io @{exec_path} = @{share_dirs}/service/daemon.js profile gnome-extension-gsconnect @{exec_path} { @@ -17,9 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include + include include include include @@ -32,10 +30,10 @@ profile gnome-extension-gsconnect @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/env rix, @{bin}/gjs-console rix, @{bin}/openssl rix, - @{sh_path} rix, @{bin}/ssh-add rix, @{bin}/ssh-keygen rPx, @@ -49,18 +47,12 @@ profile gnome-extension-gsconnect @{exec_path} { @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, - /etc/machine-id r, - owner @{user_cache_dirs}/gsconnect/{,**} rw, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{user_share_dirs}/ r, - owner @{run}/user/@{uid}/gsconnect/ w, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 722a69fe7..5d945b641 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -38,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/ssh-add rix, @{bin}/ssh-agent rPx, + @{lib}/gcr-ssh-askpass rPUx, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index c53f26eb2..962897ea8 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -51,10 +51,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dbus-daemon rPx -> dbus-session, - @{bin}/env rix, - @{bin}/gnome-session rPx, - @{bin}/gnome-shell rPx, + @{bin}/tput rix, @{bin}/session-migration rPx, @{lib}/gnome-session-check-accelerated rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 4e36f1020..0e68c90a9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -188,7 +188,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, + /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, /opt/*/**/*.png r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index ddb95f1b9..b1a0bd8ac 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -78,6 +78,7 @@ profile gnome-software @{exec_path} { owner @{user_cache_dirs}/flatpak/{,**} rwl, owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, owner @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index a04234cce..84f37da76 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} { include include include + include include include @@ -38,6 +39,9 @@ profile gnome-tweaks @{exec_path} { owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, owner @{user_share_dirs}/recently-used.xbel* rw, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + owner @{PROC}/@{pid}/fd/ r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 9d23622d2..b549f1477 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -65,6 +65,8 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, + owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index d44ffcf3d..cd9c825f6 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -32,6 +32,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, + @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, @{bin}/grub-probe rPx, @{bin}/grub-script-check rPx, @@ -60,6 +61,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/zpool rPx, /etc/grub.d/{,**} rix, + @{lib}/grub-customizer/* rix, @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, @@ -81,7 +83,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /boot/{,**} r, /boot/grub/{,**} rw, - # owner /tmp/** rw, + /tmp/grub-*.@{rand10}/{,**} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index f0bbf8e41..d0ef6b78b 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -13,6 +13,7 @@ profile grub-probe @{exec_path} { include include + capability dac_read_search, capability sys_admin, @{exec_path} mr, @@ -36,6 +37,7 @@ profile grub-probe @{exec_path} { /dev/bus/ r, /dev/bus/usb/ r, /dev/bus/usb/@{int}/ r, + /dev/char/ r, /dev/cpu/ r, /dev/cpu/@{int}/ r, /dev/dma_heap/ r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index d9af7f884..77edc07dc 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -16,6 +16,9 @@ profile hyprpicker @{exec_path} { /usr/share/icons/** r, owner @{run}/user/@{uid}/.hyprpicker* rw, + owner /dev/shm/wlroots-@{rand6} r, + + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index d4c948f86..1dac2be00 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -27,12 +27,11 @@ profile ssh @{exec_path} { @{bin}/{c,k,tc,z}sh rix, @{etc_ro}/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/{,*} r, - + owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_SSH_DIR}/config r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index d5c7b963e..9a0a2c7d7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -79,7 +79,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+hid:* r, @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+wakeup:* r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index ec711895d..3db817006 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -30,7 +30,7 @@ profile agetty @{exec_path} { /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, /etc/login.defs r, - /etc/login.defs.d/ r, + /etc/login.defs.d/{,*} r, /etc/os-release r, /usr/etc/login.defs r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 4e432e2f1..e82f0d372 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -25,6 +25,7 @@ profile file-roller @{exec_path} { # Archivers @{bin}/7z rix, + @{bin}/7zz rix, @{bin}/ar rix, @{bin}/bzip2 rix, @{bin}/cpio rix, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 143719f0d..d32790f0b 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -7,38 +7,26 @@ abi , include @{exec_path} = @{bin}/firewalld -profile firewalld @{exec_path} { +profile firewalld @{exec_path} flags=(attach_disconnected) { include + include include include - include include + include include + capability dac_read_search, capability mknod, capability net_admin, capability net_raw, capability setpcap, + capability sys_module, network inet raw, network inet6 raw, network netlink raw, - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.direct - member=passthrough - peer=(name=:*, label=libvirtd), - - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,getZones} - peer=(name=:*, label=libvirtd), - - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,removeInterface} - peer=(name=:*, label=libvirtd), - #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, @@ -49,11 +37,12 @@ profile firewalld @{exec_path} { @{bin}/ebtables-legacy-restore rix, @{bin}/false rix, @{bin}/ipset rix, - @{bin}/kmod rPx, + @{bin}/kmod rix, + @{bin}/modprobe rix, @{bin}/xtables-legacy-multi rix, @{bin}/xtables-nft-multi rix, - /usr/local/lib/python3.10/dist-packages/ r, + /usr/local/lib/python3.@{int}/dist-packages/ r, /usr/share/libalternatives/ r, /usr/share/libalternatives/ebtables*/{,*} r, @@ -68,8 +57,12 @@ profile firewalld @{exec_path} { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, + @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index e621bd7f0..4788daeb6 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -106,10 +106,8 @@ profile ifup @{exec_path} { profile sysctl { include -# capability mac_admin, - capability net_admin, - capability sys_admin, -# capability sys_resource, + capability net_admin, + capability sys_admin, @{bin}/sysctl mr, diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi new file mode 100644 index 000000000..571ab3311 --- /dev/null +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/nvidia-smi +profile nvidia-smi @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, + + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 819c4c9bd..c9c9ea2df 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -10,6 +10,7 @@ include profile os-prober @{exec_path} flags=(attach_disconnected) { include include + include capability dac_read_search, capability sys_admin, @@ -59,11 +60,12 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { / r, /boot/{efi/,} r, /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/*/ r, + /boot/{efi/,}EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, - @{sys}/block/ r, + @{run}/mount/utab r, + @{sys}/devices/@{pci}/block/*/ r, @{sys}/devices/virtual/block/*/ r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 9a25cd7d2..200319c6c 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,12 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=veracrypt, ptrace (read) peer=@{p_systemd_user}, ptrace (read) peer=gsd-smartcard, + ptrace (read) peer=keepassxc, ptrace (read) peer=pkcs11-register, ptrace (read) peer=rngd, ptrace (read) peer=scdaemon, + ptrace (read) peer=veracrypt, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 067968258..8f85f3c03 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,6 +28,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 4548813bf..bdac4d92f 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -14,11 +14,9 @@ profile smartd @{exec_path} { include include - capability sys_rawio, + capability net_admin, capability sys_admin, - - # Needed? - audit capability net_admin, + capability sys_rawio, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 429c48938..237d5ed02 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -26,6 +26,8 @@ profile su @{exec_path} { @{bin}/@{shells} rUx, @{bin}/nologin rPx, + @{etc_ro}/default/su r, + include if exists } diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 5b919ecc0..b4601147a 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only @@ -9,6 +10,7 @@ include @{exec_path} = @{bin}/w3m profile w3m @{exec_path} { include + include include include include @@ -21,13 +23,20 @@ profile w3m @{exec_path} { @{exec_path} mr, + @{sh_path} rix, + @{lib}/w3m/cgi-bin/* rix, + @{lib}/w3m/* rix, + /usr/share/terminfo/{,**} r, + /etc/mime.types r, /etc/w3m/{,**} r, - owner @{HOME}/.w3m/{,**} r, - owner @{user_config_dirs}/w3m/{,**} r, - owner /tmp/@{rand6}/{,**} rw, + owner @{HOME}/.w3m/{,**} rw, + + owner @{user_config_dirs}/w3m/{,**} rw, + + owner @{tmp}/@{rand6}/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 92b0f360f..56a852d11 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -10,9 +10,12 @@ include profile wsdd @{exec_path} { include include + include network inet dgram, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, @{exec_path} mr, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3239cd47b..57862b8ce 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -106,6 +106,7 @@ fail2ban-server attach_disconnected,complain fdisk complain firewall-applet attach_disconnected,complain firewall-config complain +firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain @@ -254,6 +255,7 @@ nmap complain nmcli complain nvidia-detector complain nvidia-persistenced complain +nvidia-smi complain okular complain ollama attach_disconnected,complain os-prober attach_disconnected,complain