diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 5b1c69114..5c57f6bfb 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -23,6 +23,8 @@ profile apt-helper @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 2e5d0c2c4..9ce820acd 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -92,6 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/cache/apt/{,**} rwk, /var/lib/apt/extended_states{,.*} rw, + /var/lib/apt/lists/ rw, + /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, /var/log/apt/{term,history}.log w, /var/log/apt/eipp.log.xz w, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 13eadbce5..a14e13b85 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -21,12 +21,8 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=ibus-*), unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=gnome-shell), - dbus bind bus=session name=org.freedesktop.portal.IBus, - - dbus bind bus=session name=org.freedesktop.IBus, - dbus send bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.DBus.Peer - peer=(name=org.freedesktop.portal.IBus), # all members, all peer's labels + # dbus: own bus=session name=org.freedesktop.portal.IBus + # dbus: own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 9bfbb4e29..1422f1155 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -51,10 +51,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/pipewire/pipewire-pulse.conf r, owner @{user_config_dirs}/pipewire/pipewire.conf r, - + owner /tmp/librnnoise-@{int}.so rm, - owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 9af2ad8fe..31445ea84 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -22,12 +22,10 @@ profile pulseaudio @{exec_path} { include include include - include - include + include include include include - include ptrace (trace) peer=@{profile_name}, @@ -89,6 +87,8 @@ profile pulseaudio @{exec_path} { /usr/share/ladspa/rdf/{,*} r, /usr/share/pulseaudio/{,**} r, + /etc/pulse/{,**} r, + /var/lib/snapd/desktop/applications/ r, # For GDM @@ -117,8 +117,8 @@ profile pulseaudio @{exec_path} { owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r, owner @{run}/user/@{uid}/ rw, - owner @{run}/user/@{uid}/pulse/{,*} rw, - owner @{run}/user/@{uid}/pulse/*.lock k, + owner @{run}/user/@{uid}/pulse/ rw, + owner @{run}/user/@{uid}/pulse/** rwk, owner @{run}/user/@{uid}/systemd/notify rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index db095264d..7ff8a164a 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -36,7 +36,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { signal (receive) peer=sddm, signal (receive) peer=xinit, signal (receive) set=hup peer=gdm-session-worker, - signal (receive) set=term peer=gdm{,-x-session}, + signal (receive) set=term peer=gdm{,-session}, unix (bind, listen) type=stream addr=@/tmp/.X11-unix/*, unix (send, receive, accept) type=stream addr=@/tmp/.X11-unix/*, # all peers diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 134a8747d..878c53090 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -18,6 +18,8 @@ profile gnome-initial-setup @{exec_path} { include include + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, @@ -40,8 +42,8 @@ profile gnome-initial-setup @{exec_path} { /var/lib/gdm{,3}/greeter-dconf-defaults r, - @{run}/systemd/sessions/@{int} r, - owner @{run}/systemd/users/@{uid} r, + @{run}/systemd/sessions/@{int} r, + @{run}/systemd/users/@{uid} r, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 37a000ad6..96054eff5 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -16,6 +16,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -35,11 +36,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=PowerOff peer=(name=:*, label=systemd-logind), - dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=upowerd), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 1363f3d05..8a49cec4a 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/mutter-x11-frames -profile mutter-x11-frames @{exec_path} { +profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 6ef296f40..ba5a97ee7 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,6 +21,7 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, + /boot/ r, /boot/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 8a429a545..f7ddb8eaf 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -30,6 +30,7 @@ profile konsole @{exec_path} flags=(attach_disconnected) { /usr/share/color-schemes/{,**} r, /usr/share/kf6/{,**} r, + /usr/share/knotifications{5,6}/konsole.notifyrc r, /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/konsole/{,**} r, /usr/share/sounds/** r, @@ -49,7 +50,8 @@ profile konsole @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_share_dirs}/konsole/{,**} rwlk, + owner @{user_share_dirs}/konsole/ rw, + owner @{user_share_dirs}/konsole/** rwlk, owner /tmp/#@{int} rw, owner /tmp/konsole.@{rand6} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 5b644ecbe..372994ef6 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -31,6 +31,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include # userns, @@ -39,6 +40,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network inet6 dgram, network inet stream, network inet6 stream, + network netlink dgram, network netlink raw, ptrace (read) peer=akonadi*, @@ -114,6 +116,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwkl -> @{user_cache_dirs}/plasmashell/**, + owner @{user_cache_dirs}/org.kde.*/ rw, + owner @{user_cache_dirs}/org.kde.*/** rwlk, owner @{user_config_dirs}/{KDE,kde.org}/ rw, owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#@{int}, @@ -160,6 +164,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma/plasmoids/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, owner @{user_share_dirs}/user-places.xbel{,*} rwl, + owner @{user_share_dirs}/libkunitconversion/ rw, + owner @{user_share_dirs}/libkunitconversion/** rwlk, /tmp/.mount_nextcl@{rand6}/{,*} r, owner /tmp/#@{int} rw, diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter index 639cfc171..0599abb55 100644 --- a/apparmor.d/groups/kde/utempter +++ b/apparmor.d/groups/kde/utempter @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}utempter/utempter profile utempter @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index fc0498671..4807101a9 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -130,6 +130,8 @@ profile pacman @{exec_path} { owner /tmp/checkup-db-@{int}/sync/{,*.db*} rw, owner /tmp/checkup-db-@{int}/db.lck rw, + @{run}/utmp rk, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @@ -140,8 +142,6 @@ profile pacman @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - @{run}/utmp rk, - /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index cd30a18b9..41ec8b06d 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -35,9 +35,10 @@ profile ssh-agent @{exec_path} { owner /tmp/ssh-*/ rw, owner /tmp/ssh-*/agent.* rw, - @{run}/user/@{uid}/openssh_agent rw, - @{run}/user/@{uid}/keyring/.ssh rw, - @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w, + owner @{run}/user/@{uid}/keyring/.ssh rw, + owner @{run}/user/@{uid}/openssh_agent rw, + owner @{run}/user/@{uid}/ssh-agent.@{rand6} w, + owner @{run}/user/@{uid}/gcr/.ssh w, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 282135b91..299f29e3a 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -25,6 +25,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { /etc/cloud/{,**} r, @{run}/cloud-init/{,.}ds-identify.* rw, + @{run}/cloud-init/cloud.cfg rw, @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, @{sys}/devices/virtual/dmi/id/product_name r, diff --git a/apparmor.d/groups/systemd/systemd-id128 b/apparmor.d/groups/systemd/systemd-id128 index ad8e7b904..6b5fd8c27 100644 --- a/apparmor.d/groups/systemd/systemd-id128 +++ b/apparmor.d/groups/systemd/systemd-id128 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemd-id128 profile systemd-id128 @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 692a347aa..7aaee86e4 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -24,6 +24,12 @@ profile systemd-machined @{exec_path} { capability sys_chroot, capability sys_ptrace, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + # dbus: own bus=system name=org.freedesktop.machine1 # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 657e635f3..68ca4cb2d 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,13 +15,16 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, + unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom, + # dbus: own bus=system name=org.freedesktop.oom1 @{exec_path} mr, /etc/systemd/oomd.conf r, - @{run}/systemd/io.system.ManagedOOM rw, + @{run}/systemd/io.system.ManagedOOM rw, + @{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/notify rw, owner @{run}/systemd/journal/socket w, diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled index fb02e4b4a..00760c635 100644 --- a/apparmor.d/groups/systemd/systemd-portabled +++ b/apparmor.d/groups/systemd/systemd-portabled @@ -11,8 +11,26 @@ profile systemd-portabled @{exec_path} { include include + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability mknod, + capability setgid, + capability sys_admin, + capability sys_chroot, capability sys_ptrace, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + # dbus: own bus=system name=org.freedesktop.portable1 + @{exec_path} mr, /var/lib/portables/{,**} rw, diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 5e13c384f..f73936734 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -23,10 +23,12 @@ profile cctk @{exec_path} { /opt/dell/srvadmin/lib64/*.so* rm, /opt/dell/srvadmin/var/lib/openmanage/.ipc/* rwk, + @{sys}/devices/platform/dcdbas/smi_data* rwk, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/systab r, + /dev/mem r, /dev/wmi/dell-smbios r, include if exists diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 5d12a6e7b..97ef4359a 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -21,6 +21,10 @@ profile unix-chkpwd @{exec_path} { /etc/shadow r, + # systemd userdb, used in nspawn + @{run}/host/userdb/*.user r, + @{run}/host/userdb/*.user-privileged r, + owner /dev/tty@{int} rw, include if exists