diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 443d8638f..af4adf172 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -30,8 +30,9 @@ owner @{HOME}/.alsoftrc r, owner @{HOME}/.asoundrc r, - owner @{HOME}/.libao r, owner @{HOME}/.esd_auth r, + owner @{HOME}/.libao r, + owner @{HOME}/.pulse-cookie rwk, owner @{user_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, # libcanberra @@ -48,6 +49,8 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{sys}/class/sound/ r, + /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 4d23a7e51..e5102cb24 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -18,6 +18,7 @@ owner @{HOME}/.nv/nvidia-application-profiles-* r, @{sys}/devices/system/memory/block_size_bytes r, + @{sys}/module/nvidia/version r, @{PROC}/driver/nvidia/params r, @{PROC}/sys/vm/max_map_count r, diff --git a/apparmor.d/abstractions/video.d/complete b/apparmor.d/abstractions/video.d/complete index 4b8a0d2ee..e36b3128b 100644 --- a/apparmor.d/abstractions/video.d/complete +++ b/apparmor.d/abstractions/video.d/complete @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + @{run}/udev/data/c81:@{int} r, # For video4linux + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, # Access to video /dev devices diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index e5c1d7ea1..4df679c9f 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -56,9 +56,9 @@ profile dbus-session flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - + + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 1de8b250f..0057ddeb6 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -27,6 +27,13 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw, + owner @{desktop_share_dirs}/flatpak/ w, + audit owner @{desktop_share_dirs}/flatpak/db/ rw, + audit owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, + audit owner @{desktop_share_dirs}/flatpak/db/background rw, + audit owner @{desktop_share_dirs}/flatpak/db/devices r, + audit owner @{desktop_share_dirs}/flatpak/db/notifications rw, + owner @{user_share_dirs}/flatpak/ w, owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 9d457e887..5987976d0 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -9,8 +9,8 @@ include @{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include - include include + include include signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index dac667617..45ce4da66 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -235,7 +235,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/cookie rwk, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, - owner @{gdm_share_dirs}/icc/ r, + owner @{gdm_share_dirs}/icc/ rw, owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, @@ -260,7 +260,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{user_share_dirs}/icc/ r, + owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, @@ -273,6 +273,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + @{run}/gdm{3,}/dbus/dbus-@{rand8} w, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 35fce836b..d00af3ac7 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -43,6 +43,11 @@ profile gpg @{exec_path} { owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, + #aa:only pacman + owner /etc/pacman.d/gnupg/gpg.conf r, + owner /etc/pacman.d/gnupg/pubring.gpg r, + owner /etc/pacman.d/gnupg/trustdb.gpg r, + owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 81cb07fb0..88476e81c 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -25,6 +25,7 @@ profile baloo @{exec_path} { @{lib}/{,kf6/}baloo_file_extractor rix, /usr/share/poppler/{,**} r, + /usr/share/desktop-base/kf5-settings/baloofilerc r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index f6adfc8ec..bac66d284 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -14,7 +14,7 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index ec36ee18f..08c37a074 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -18,6 +18,7 @@ profile gmenudbusmenuproxy @{exec_path} { @{exec_path} mr, /etc/machine-id r, + /var/lib/dbus/machine-id r, owner @{HOME}/.gtkrc-2.0 rw, owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw, diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition index 134f62d15..ce5c0e6a3 100644 --- a/apparmor.d/groups/kde/kde-systemd-start-condition +++ b/apparmor.d/groups/kde/kde-systemd-start-condition @@ -16,6 +16,7 @@ profile kde-systemd-start-condition @{exec_path} { /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r, owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/konquerorrc r, owner @{user_config_dirs}/plasma-welcomerc r, include if exists diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 9a513c62d..3e62ed175 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -32,6 +32,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, + /usr/share/desktop-base/kf5-settings/{,**} r, /usr/share/desktop-directories/*.directory r, /usr/share/kglobalaccel/{,**} r, /usr/share/knotifications{5,6}/ksmserver.notifyrc r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 6db8b9496..20fec7b18 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -168,7 +168,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/sddm-* rw, /tmp/xauth_@{rand6} rwl -> /tmp/#@{int}, - owner @{tmp}/*/{,s} rw, + owner @{tmp}/.@{rand6}/{,s} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/sddm-auth* rw, @@ -209,15 +209,15 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/xauth mr, - owner @{HOME}/.Xauthority-c w, - owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c, + owner @{HOME}/.Xauthority-c rw, + owner @{HOME}/.Xauthority-l rwl -> @{HOME}/.Xauthority-c, owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, owner @{user_share_dirs}/sddm/xorg-session.log w, - owner @{run}/sddm/\{@{uuid}\}-c w, - owner @{run}/sddm/\{@{uuid}\}-l wl -> @{run}/sddm/\{@{uuid}\}-c, + owner @{run}/sddm/\{@{uuid}\}-c rw, + owner @{run}/sddm/\{@{uuid}\}-l rwl -> @{run}/sddm/\{@{uuid}\}-c, owner @{run}/sddm/\{@{uuid}\}-n rw, owner @{run}/sddm/\{@{uuid}\} rwl -> @{run}/sddm/\{@{uuid}\}-n, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index b1596876e..8d9c317c3 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -24,5 +24,7 @@ profile wayland-session @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log rw, + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index faad3b470..3481b9c5e 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -30,8 +30,7 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/lib/calico/{,**} r, /var/log/calico/cni/ r, - /var/log/calico/cni/cni.log rw, - /var/log/calico/cni/cni-@{date}T@{time}.@{int}.log rw, + /var/log/calico/cni/*.log rw, /usr/share/mime/globs2 r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index f2e63b8c3..7d10b57af 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -10,6 +10,7 @@ include profile aa-notify @{exec_path} { include include + include include include diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 04ede2100..3fb7158e9 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -19,6 +19,8 @@ profile cups-notifier-dbus @{exec_path} { /etc/cups/client.conf r, + owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, + owner @{tmp}/cups-dbus-notifier-lockfile rwk, include if exists diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 653895c57..a2eff5a44 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -30,6 +30,7 @@ profile element-desktop @{exec_path} { @{exec_path} mr, + @{sh_path} r, @{open_path} rPx -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 9a2178f63..7c48c4d85 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -27,7 +27,7 @@ profile mount @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - ptrace (read) peer=k3s, + ptrace (read), signal (receive) set=(term, kill), diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index f27637aed..b873fb6a5 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -37,6 +37,7 @@ profile qemu-ga @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/sys/vm/max_map_count r, owner @{PROC}/@{pid}/net/dev r, /dev/vport@{int}p@{int} rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 5da321070..e25574bb9 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -36,8 +36,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /var/lib/nscd/passwd r, - owner @{desktop_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.dirs r, @@ -45,5 +43,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 79d7e1edc..8253f4335 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -20,16 +20,19 @@ profile umount @{exec_path} { capability setuid, capability sys_admin, - umount, - network inet stream, network inet6 stream, + umount, + @{exec_path} mr, @{bin}/umount.* rPx, @{bin}/mount.* rPx, + /etc/mtab r, + /etc/fstab r, + # Mount points @{HOME}/ r, @{HOME}/*/ r, @@ -38,15 +41,10 @@ profile umount @{exec_path} { @{MOUNTS}/*/ r, @{MOUNTS}/*/*/ r, - /media/cdrom[0-9]/ r, - - /etc/mtab r, - /etc/fstab r, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rwk, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 5b1658729..ad7cf9133 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -4,6 +4,8 @@ # Define some paths for some commonly used programs +# All variables that refer to a path should have the `_path` suffix. + # Shells @{sh_path} = @{bin}/@{sh} @{shells_path} = @{bin}/@{shells} diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index f15af0d8e..5a8348110 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -5,7 +5,7 @@ # Define some variables for some commonly used profile. They may be used in # other profiles peer label. -# All variables that refer to a profile should be prefixed with `p_` +# All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` @{p_systemd}=unconfined diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d1cadbc80..300a46b84 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -67,10 +67,6 @@ # hci devices @{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c} -# Date and time -@{date}=[0-2][0-9][0-9][0-9]-[01][0-9]-[0-3][0-9] -@{time}={[0-2],}[0-9]-[0-5][0-9]-[0-6][0-9] - # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a # system.