diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0a01e5db5..a0d5b08f9 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -30,13 +30,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/bc rix, @{bin}/clang-@{version} rix, @{bin}/gcc rix, + @{bin}/g++ rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, @{bin}/ld.lld rix, @{bin}/llvm-objcopy rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @@ -101,7 +102,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/sh-thd.* rw, owner @{tmp}/tmp.* rw, - @{PROC}/cpuinfo r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 182d9013d..1d00dce88 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -32,8 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 961b55c97..cf5989227 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -62,12 +62,15 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2b91fc612..739073201 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -33,6 +33,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, @@ -55,7 +56,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, - @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @@ -76,12 +76,15 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/fdisk rPx, @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, @{sbin}/hwinfo rPx, @{sbin}/rfkill rPx, @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, owner @{tmp}/@{rand10}/ rw, @@ -107,9 +110,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, + capability syslog, - @{sys}/module/compression r, + @{sys}/module/{,**} r, include if exists } @@ -169,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 4919d2fb2..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -28,6 +28,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, @{sbin}/dmraid rPUx, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 5ce4da0bb..f101c56e6 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index d375a1bdd..c3155ce75 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -34,13 +34,15 @@ profile kernel @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, + @{bin}/bootctl rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, @{lib}/modules/*/updates/dkms/ w, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 614b81aeb..96d097417 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -41,6 +41,8 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + @{efi}/@{hex32}/** rw, + owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, owner /boot/[a-f0-9]*/*/{linux,initrd} w, @@ -52,6 +54,7 @@ profile kernel-install @{exec_path} { owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b684c3094..c308dcd91 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -11,7 +11,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include include include - # include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 9a4b5cebe..dfdd00524 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,8 +24,10 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/name r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/i2c-*/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r,