diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4c506da69..d3e2cef4f 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -4,7 +4,6 @@ abi , - # The unix socket to use to connect to the display unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a3948e144..ebaced47f 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -26,7 +26,7 @@ @{PROC}/modules r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/mmap_min_addr r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 5b41f7b7c..31622c1bd 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -102,6 +102,8 @@ profile aa-notify @{exec_path} { /etc/apparmor.d/** rw, /etc/apparmor/* r, + @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8a7c9755f..bee1c0fe8 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -50,6 +50,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/apt-listchanges rPx, @{bin}/dpkg rPx, + @{bin}/dpkg-divert rPx, @{bin}/dpkg-preconfigure rPx, @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, @@ -64,6 +65,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, + /etc/apport/report-ignore/ r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, diff --git a/apparmor.d/groups/cups/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism index 89d55c2f1..89d517631 100644 --- a/apparmor.d/groups/cups/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/@{int} rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f832d285e..a8244bce9 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -56,6 +56,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d54ed16fc..4440b80e3 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal send set=hup peer=xorg, signal send set=hup peer=xwayland, - unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index c0f131dd1..ee9c147b6 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,6 +21,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index a9575dd89..bbd4b7438 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,13 +17,13 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, - signal receive set=(term cont) peer=*//systemctl, - signal receive set=(term cont) peer=deb-systemd-invoke, - signal receive set=(term cont) peer=default, - signal receive set=(term cont) peer=logrotate, - signal receive set=(term cont) peer=makepkg//sudo, - signal receive set=(term cont) peer=role_*, - signal receive set=(term cont) peer=rpm, + signal receive set=(term cont winch) peer=*//systemctl, + signal receive set=(term cont winch) peer=deb-systemd-invoke, + signal receive set=(term cont winch) peer=default, + signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=makepkg//sudo, + signal receive set=(term cont winch) peer=role_*, + signal receive set=(term cont winch) peer=rpm, @{exec_path} mrix, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 6d3e1972d..a4dec5d34 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -30,7 +30,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 63bb82f11..8250cf8aa 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -40,6 +40,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-settings rPx -> freetube//&xdg-settings, deny @{sys}/devices/@{pci}/usb@{int}/** r, + deny /dev/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b1b4ccb70..191ac5782 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -100,7 +100,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index b4ae4b211..1dc744ff3 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -24,6 +24,8 @@ profile rsyslogd @{exec_path} { capability sys_nice, capability syslog, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 783e58237..369046b6b 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -14,11 +14,11 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, /tmp/@{int}/TMP* rw,