diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e354e6edd..588f324ca 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -33,6 +33,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/echo rix, /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, /{usr/,}bin/test rix, /{usr/,}bin/touch rix, @@ -49,7 +50,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dpkg-source rcx -> dpkg-source, /{usr/,}bin/etckeeper rPx, /{usr/,}bin/ps rPx, + /{usr/,}bin/snap rPUx, + /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, + /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/command-not-found/cnf-update-db rPx, @@ -81,6 +85,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/lock{,-frontend} rwk, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, /dev/ptmx rw, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 787333c69..c3cf5a2a7 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -37,6 +37,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/dpkg rPx, /{usr/,}bin/etckeeper rPx, + /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/python3.[0-9]* rix, /{usr/,}bin/uname rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index a8b0028b0..d93d7ea5f 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -14,6 +14,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /{usr/,}bin/ischroot rix, + /usr/share/unattended-upgrades/{,*} r, /etc/apt/apt.conf.d/{,*} r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index fae30c409..0a50c9814 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -81,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 22ea486e2..aa638961a 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -15,6 +15,8 @@ profile accounts-daemon @{exec_path} { include capability dac_read_search, + capability setgid, + capability setuid, capability sys_nice, capability sys_ptrace, @@ -25,9 +27,10 @@ profile accounts-daemon @{exec_path} { /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, - /etc/gdm/ r, - /etc/gdm/custom.conf rw, - /etc/gdm/custom.conf.* rw, + /etc/default/locale r, + /etc/gdm{3,}/ r, + /etc/gdm{3,}/custom.conf rw, + /etc/gdm{3,}/custom.conf.* rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, @@ -35,6 +38,8 @@ profile accounts-daemon @{exec_path} { owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, + @{HOME}/ r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index 9f4df2b12..bf3c14b5a 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -37,7 +37,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - + /var/lib/lightdm/.Xauthority r, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index 78d639a5c..3c57adf23 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -6,7 +6,8 @@ abi , include -@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session +@{exec_path} = /{usr/,}lib/colord/colord-session +@{exec_path} += @{libexec}/colord-session profile colord-session @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index c5787e2cc..1025fc331 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -16,12 +16,17 @@ profile pulseaudio @{exec_path} { include include include + include + include include ptrace (trace) peer=@{profile_name}, signal (receive) peer=pacmd, + unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), + unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), + network inet stream, network inet6 stream, network netlink raw, @@ -29,65 +34,6 @@ profile pulseaudio @{exec_path} { network bluetooth stream, network bluetooth seqpacket, - @{exec_path} mrix, - - /{usr/,}lib{exec,}/pulse/gsettings-helper mrix, - /{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix, - /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, - - # PulseAudio files - /usr/share/pulseaudio/{,**} r, - /{usr/,}lib/pulse-*/modules/*.so mr, - - # PulseAudio home config files - owner @{user_config_dirs}/pulse/{,**} rw, - owner @{user_config_dirs}/dconf/user r, - - owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, - - # Needed when PulseAudio is started via the start-pulseaudio-x11 script - owner @{HOME}/.Xauthority r, - - # Needed when PulseAudio is started via gdm - owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, - owner @{HOME}/.ICEauthority r, - - # TCP wrap - /etc/hosts.{allow,deny} r, - - owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/pulse/{,*} rw, - owner @{run}/user/@{uid}/pulse/*.lock k, - - /usr/share/applications/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{sys}/devices/**/sound/**/{uevent,pcm_class} r, - @{run}/udev/data/+sound* r, - @{run}/udev/data/c116:[0-9]* r, # For ALSA - - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, - - deny @{sys}/module/apparmor/parameters/enabled r, - - @{run}/systemd/users/@{uid} r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/ICEauthority r, - owner @{run}/user/@{uid}/systemd/notify rw, - - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/cmdline r, - - # DBus dbus (send) bus=session path=/org/freedesktop/DBus @@ -139,14 +85,18 @@ profile pulseaudio @{exec_path} { member=GetManagedObjects peer=(name=org.bluez), - unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), - unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*), + @{exec_path} mrix, - # The orcexec.* file is JIT compiled code for various GStreamer elements. - # If one is blocked the next is used instead. - owner @{run}/user/@{uid}/orcexec.* mrw, - #owner @{HOME}/orcexec.* mrw, - #owner /tmp/orcexec.* mrw, + /{usr/,}@{libexec}/pulse/gsettings-helper mrix, + /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix, + /{usr/,}lib/pulse-*/modules/*.so mr, + + /usr/share/applications/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/pulseaudio/{,**} r, + /usr/share/ubuntu/applications/{,*} r, + + /var/lib/snapd/desktop/applications/ r, # For GDM owner /var/lib/gdm{[1-9],}/.config/pulse/{,**} rw, @@ -164,13 +114,42 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/{,**} rw, owner /var/lib/lightdm/.config/pulse/cookie k, + owner @{HOME}/.Xauthority r, + owner @{HOME}/.ICEauthority r, + + owner @{user_config_dirs}/pulse/{,**} rw, + owner @{user_config_dirs}/dconf/user r, + + owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r, + + owner @{run}/user/@{uid}/ rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/ICEauthority r, + owner @{run}/user/@{uid}/pulse/{,*} rw, + owner @{run}/user/@{uid}/pulse/*.lock k, + owner @{run}/user/@{uid}/systemd/notify rw, + + @{run}/systemd/users/@{uid} r, + + @{run}/udev/data/+sound* r, + @{run}/udev/data/c116:[0-9]* r, # For ALSA + + @{sys}/class/sound/ r, + @{sys}/devices/**/sound/**/{uevent,pcm_class} r, + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + + deny @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/cmdline r, + # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - # Snap - /var/lib/snapd/desktop/applications/ r, - /usr/{local/,}share/ubuntu/applications/{,*} r, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index cc70c3bc1..cfb29dc8b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -28,7 +28,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { / r, /.flatpak-info r, - /{usr/,}lib/x r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/pipewire/client.conf r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index c5075fb3c..a74d3c75c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -10,6 +10,7 @@ include profile xdg-desktop-portal-gnome @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index dcfb51822..0d51bc9a2 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -26,13 +26,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/plymouth rPx, - /{usr/,}lib/gdm-session-worker rPx, - + /{usr/,}{s,}prime-switch rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/plymouth rPx, + /etc/gdm{3,}/PrimeOff/Default rix, + @{libexec}/gdm-session-worker rPx, + /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/locale.conf r, @@ -49,6 +53,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/udev/tags/master-of-seat/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 49938a961..d93b104fd 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -45,6 +45,10 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{libexec}/gdm-wayland-session rPx, @{libexec}/gdm-x-session rPx, /etc/gdm{3,}/{Pre,Post}Session/Default rix, + /etc/gdm{3,}/PrimeOff/Default rix, + + /usr/share/gdm/gdm.schemas r, + /usr/share/wayland-sessions/*.desktop r, /etc/default/locale r, /etc/environment r, @@ -56,8 +60,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/security/limits.d/{,*.conf} r, /etc/shells r, - /usr/share/gdm/gdm.schemas r, - /usr/share/wayland-sessions/*.desktop r, + owner @{run}/user/@{uid}/keyring/control rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm/custom.conf r, @@ -65,8 +68,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index d906f01e6..57c084d57 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -22,18 +22,19 @@ profile gdm-wayland-session @{exec_path} { @{exec_path} mr, - # It can run hooks, how to handle them nicely? rCx? them mostly include if exist - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/env rix, + /{usr/,}bin/gettext rix, /{usr/,}bin/gnome-session rix, /{usr/,}bin/grep rix, /{usr/,}bin/gsettings rix, + /{usr/,}bin/head rix, /{usr/,}bin/locale rix, /{usr/,}bin/locale-check rix, + /{usr/,}bin/qmake rix, /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, /{usr/,}bin/tty rix, - /{usr/,}bin/gettext rix, /{usr/,}bin/zsh rix, /{usr/,}bin/dbus-daemon rPx, @@ -42,12 +43,14 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/flatpak rPUx, @{libexec}/gnome-session-binary rPx, + /{usr/,}bin/gettext.sh r, /usr/share/im-config/{,**} r, /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, /etc/machine-id r, /etc/shells r, + /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, /usr/share/gdm/gdm.schemas r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 0490d7559..8af7526e5 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -30,7 +30,5 @@ profile gnome-calendar @{exec_path} { owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index fd682a6b1..ed46dfb13 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -14,6 +14,7 @@ profile gnome-contacts @{exec_path} { include include include + include include include include @@ -28,14 +29,11 @@ profile gnome-contacts @{exec_path} { /usr/share/applications/{,*.desktop} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_config_dirs}/gnome-contacts/{,**} rw, owner @{user_share_dirs}/folks/relationships.ini r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - @{PROC}/sys/dev/i915/perf_stream_paranoid r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index eb181ea69..435d438f1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 88bcdf238..1051a928b 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -10,8 +10,9 @@ include profile gnome-extension-ding @{exec_path} { include include - include include + include + include @{exec_path} mr, @@ -22,7 +23,7 @@ profile gnome-extension-ding @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, /usr/share/themes/{,**} r, - /usr/share/thumbnailers/*.thumbnailer r, + /usr/share/thumbnailers/{,*.thumbnailer} r, /usr/share/X11/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f9711333c..230774854 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -43,17 +43,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/aa-notify rPx, /{usr/,}bin/blueman-applet rPx, - /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}bin/firewall-applet rPUx, /{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}bin/gnome-shell rPx, /{usr/,}bin/im-launch rPx, /{usr/,}bin/pkcs11-register rPx, /{usr/,}bin/snap rPUx, + /{usr/,}bin/spice-vdagent rPx, /{usr/,}bin/start-pulseaudio-x11 rPx, /{usr/,}bin/ubuntu-report rPx, /{usr/,}bin/update-notifier rPx, /{usr/,}bin/xbrlapi rPx, + /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, @{libexec}/at-spi-bus-launcher rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @@ -98,14 +99,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/mimeinfo.cache r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, + owner @{run}/user/@{uid}/systemd/notify w, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bbc8375a8..08da7996b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -125,6 +125,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, + owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a6f7d510c..a38feb1a1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,8 +10,8 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index e683f0a81..df0fe0e5f 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,8 +10,8 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 921f8b5c3..4884d7fed 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -12,17 +12,16 @@ profile tracker-miner @{exec_path} { include # TODO: FIXME: See if we keep them like this. include include + include include include include @{exec_path} mr, - /usr/share/applications/{,mimeinfo.cache,*.list} r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/mime/mime.cache r, /usr/share/tracker3-miners/{,**} r, /usr/share/tracker3/{,**} r, /usr/share/ubuntu/applications/ r, @@ -43,8 +42,6 @@ profile tracker-miner @{exec_path} { owner @{MOUNTS}/*/{,**} r, owner /tmp/*/{,**} r, - owner @{user_share_dirs}/{applications/,mime/mime.cache} r, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/tracker3/{,**} rwk, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 0f1352dba..81ba8b56a 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -21,6 +21,7 @@ profile pacman @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, + capability kill, capability mknod, capability net_admin, capability setfcap, @@ -83,6 +84,7 @@ profile pacman @{exec_path} { /{usr/,}bin/glib-compile-schemas rPx, /{usr/,}bin/groupadd rPx, /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx, + /{usr/,}bin/install-catalog rPx, /{usr/,}bin/install-info rPx, /{usr/,}bin/journalctl rPx, /{usr/,}bin/locale-gen rPx, @@ -124,7 +126,9 @@ profile pacman @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 990d46265..8b4923221 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -51,12 +51,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + /{usr/,}{s,}bin/nologin rPx, /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx, - /{usr/,}{s,}bin/nologin rPx, + /{usr/,}bin/false rix, /{usr/,}bin/passwd rPx, /{usr/,}lib/openssh/sftp-server rPx, - /{usr/,}bin/false rix, /etc/default/locale r, /etc/environment r, @@ -78,8 +78,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/resolvconf/resolv.conf r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/notify w, + @{run}/systemd/sessions/*.ref rw, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 1da11fc0a..4e21b8407 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -24,12 +24,14 @@ profile bootctl @{exec_path} { /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, - /{boot,efi}/loader/{,**} r, /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, /{boot,efi}/EFI/systemd/systemd-boot*.efi w, /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw, + /{boot,efi}/loader/.#entries.srel* w, + /{boot,efi}/loader/{,**} r, + /{boot,efi}/loader/entries.srel w, /{boot,efi}/loader/random-seed w, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5fbe2c74d..e9df1167c 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,12 +11,11 @@ include profile networkctl @{exec_path} flags=(complain) { include - # To be able to manage network interfaces, capability net_admin, # Needed? (#FIXME#) - audit deny capability sys_resource, - audit deny capability sys_module, + audit capability sys_resource, + audit capability sys_module, signal send peer=child-pager, @@ -49,6 +48,7 @@ profile networkctl @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, + @{PROC}/filesystems r, @{PROC}/sys/kernel/random/boot_id r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 4fbf1b5ed..d25f1381c 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,7 +17,11 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/systemd/notify rw, + @{run}/udev/data/+dmi:id r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, @@ -25,7 +29,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, - @{run}/udev/data/+dmi:id r, @{sys}/firmware/dmi/entries/*/raw r, /etc/.#hostname* rw, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 56e0b48e6..5eb039e41 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -9,8 +9,9 @@ include @{exec_path} = /usr/share/apport/apport-checkreports profile apport-checkreports @{exec_path} { include - include + include include + include @{exec_path} mr, @@ -21,6 +22,9 @@ profile apport-checkreports @{exec_path} { /usr/share/apport/ r, /etc/apt/apt.conf.d/{,**} r, + /etc/default/apport r, + + /var/crash/ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index d307f0eb4..bd66ec170 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -11,6 +11,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_ptrace, capability syslog, ptrace (read), diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish index 5c93be01d..fd643e752 100644 --- a/apparmor.d/profiles-a-f/aurpublish +++ b/apparmor.d/profiles-a-f/aurpublish @@ -10,6 +10,8 @@ include profile aurpublish @{exec_path} { include + signal (receive) peer=git, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 5e40c1ec9..304d97c0b 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -18,8 +18,11 @@ profile borg @{exec_path} { network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} r, + + /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/uname rix, @@ -66,15 +69,11 @@ profile borg @{exec_path} { # Dirs that can be backed up / r, - /boot/{,**} r, - /efi/{,**} r, /etc/{,**} r, /home/{,**} r, @{MOUNTS}/{,**} r, - /opt/{,**} r, /root/{,**} r, /srv/{,**} r, - /usr/{,**} r, /var/{,**} r, # The backup dirs diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 83f903685..053d00dd6 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -27,6 +27,8 @@ profile git @{exec_path} { network inet6 stream, network netlink raw, + signal (send) peer=aurpublish, + @{exec_path} mrix, # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index fc03477ef..9685ea692 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,37 +20,36 @@ profile mkinitramfs @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/ r, - /{usr/,}bin/ r, + /{usr/,}{s,}bin/ r, /{usr/,}lib/ r, /{usr/,}lib64/ r, - /{usr/,}bin/getopt rix, - /{usr/,}bin/basename rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tsort rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/id rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/env rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/tr rix, - - /{usr/,}bin/cpio rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/basename rix, /{usr/,}bin/bzip2 rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cpio rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/env rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/id rix, + /{usr/,}bin/ln rix, /{usr/,}bin/lzma rix, /{usr/,}bin/lzop rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/tsort rix, + /{usr/,}bin/xargs rix, /{usr/,}bin/xz rix, /{usr/,}bin/zstd rix, @@ -87,20 +87,21 @@ profile mkinitramfs @{exec_path} { /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs-* rw, - @{PROC}/modules r, - + owner @{PROC}/@{uid}/fd/ r, + @{PROC}/modules r, profile ldd { include include + include /{usr/,}bin/ldd mr, /{usr/,}bin/kmod mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}lib/@{multiarch}/ld-*.so rix, - /{usr/,}lib{,x}32/ld-*.so rix, + /{usr/,}lib/@{multiarch}/ld-*.so* rix, + /{usr/,}lib{,x}32/ld-*.so rix, } @@ -110,7 +111,10 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - /{usr/,}sbin/ldconfig mr, + /{usr/,}{s,}bin/ldconfig mr, + + /{usr/,}{s,}bin/ldconfig.real rix, + /{usr/,}bin/{,ba,da}sh rix, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, @@ -148,11 +152,14 @@ profile mkinitramfs @{exec_path} { profile kmod { include include + include /{usr/,}bin/kmod mr, @{PROC}/cmdline r, + /etc/depmod.d/ r, + /etc/depmod.d/*.conf r, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 77c49dd3b..db6ff8dd6 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -12,6 +12,8 @@ profile qemu-ga @{exec_path} { @{exec_path} mr, + /etc/qemu/qemu-ga.conf r, + owner @{run}/qga.state* rw, /dev/vport[0-9]*p[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 65616a182..10fc5bd92 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -16,25 +16,12 @@ profile rsyslogd @{exec_path} { include include - # Needed to remove the following error: - # rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted. - capability syslog, - - # For remote logs - capability net_admin, - - # for creating new log files and changing their owner/group - capability chown, - - # downgrade privileges on Ubuntu - capability setgid, + capability chown, # For creating new log files and changing their owner/group + capability net_admin, # For remote logs + capability setgid, # For downgrading privileges capability setuid, - - # Needed? - deny capability sys_nice, -# capability sys_ptrace, -# ptrace (read), - + capability syslog, + @{exec_path} mr, /{usr/,}lib/@{multiarch}/rsyslog/*.so mr, @@ -47,6 +34,7 @@ profile rsyslogd @{exec_path} { owner @{run}/rsyslogd.pid{,.tmp} rwk, owner @{run}/systemd/journal/syslog w, + @{run}/systemd/notify rw, # log files and devices /var/log/** rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 99757736a..ce534bdee 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -20,7 +20,7 @@ profile spice-vdagent @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - owner @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{run}/spice-vdagentd/spice-vdagent-sock rw, @{sys}/devices/pci[0-9]*/**/{device,vendor} r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 2441b65be..ee7dac591 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,15 +6,18 @@ abi , include -@{exec_path} = /{usr/,}bin/spice-vdagentd -profile spice-vdagentd @{exec_path} { +@{exec_path} = /{usr/,}{s,}bin/spice-vdagentd +profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include + include capability sys_nice, @{exec_path} mr, + owner @{run}/spice-vdagentd/spice-vdagent-sock r, owner @{run}/spice-vdagentd/spice-vdagentd.pid rw, + @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 6830ff9b6..57a24445f 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{libexec}/switcheroo-control -profile switcheroo-control @{exec_path} { +profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability sys_nice, @@ -18,6 +18,8 @@ profile switcheroo-control @{exec_path} { @{run}/udev/data/+drm:* r, + @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 5a557c785..26ce8ce24 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,25 +15,26 @@ profile ucf @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/mkdir rix, + /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, - /{usr/,}bin/id rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tr rix, + /{usr/,}bin/cp rix, /{usr/,}bin/dirname rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mawk rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/seq rix, /{usr/,}bin/stat rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/which{,.debianutils} rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 89575a537..c256bc068 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,33 +9,33 @@ include @{exec_path} = /usr/share/command-not-found/cnf-update-db @{exec_path} += /{usr/,}{s,}bin/update-command-not-found +@{exec_path} += /{usr/,}lib/cnf-update-db profile update-command-not-found @{exec_path} { include include + include include - #capability sys_tty_config, - @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, - /{usr/,}lib/apt/apt-helper rix, - - /{usr/,}bin/dpkg rPx -> child-dpkg, - - /var/lib/command-not-found/ r, - /var/lib/command-not-found/commands.db* rwk, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}lib/apt/apt-helper rix, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, /usr/share/command-not-found/{,**} r, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, + /var/lib/command-not-found/ r, + /var/lib/command-not-found/commands.db* rwk, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_Contents-* r, + /var/lib/apt/lists/*_Commands-* r, owner @{PROC}/@{pid}/fd/ r,