diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 4af0396ca..247146654 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -158,6 +158,10 @@ owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, + # libpam-tmpdir support + owner /tmp/user/@{uid}/ rw, + owner /tmp/user/@{uid}/** rwk, + /dev/shm/ r, owner /dev/shm/.@{domain}* rw, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 78afea1e3..70d5711d5 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -15,6 +15,7 @@ /etc/vulkan/implicit_layer.d/{,*.json} r, owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, + owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache @{sys}/class/ r, @{sys}/class/drm/ r, @@ -23,4 +24,5 @@ @{sys}/devices/@{pci}/drm/card@{int}/metrics/ r, @{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r, - include if exists \ No newline at end of file + include if exists + diff --git a/apparmor.d/profiles-m-r/msedge b/apparmor.d/profiles-m-r/msedge new file mode 100644 index 000000000..a45f0b0af --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = msedge{,-beta,-dev} +@{domain} = com.microsoft.Edge +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} +@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} +@{cache_dirs} = @{user_cache_dirs}/microsoft-edge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/@{name} +profile msedge /opt/microsoft/msedge{,-beta,-dev}/msedge{,-beta,-dev} { + include + include + + @{exec_path} mrix, + @{lib_dirs}/microsoft-edge{,beta,-dev} rpx, + + @{bin}/man rpux, # For "chrome --help" + + @{lib_dirs}/xdg-mime rix, #-> xdg-mime, + @{lib_dirs}/xdg-settings rix, #-> xdg-settings, + + @{lib_dirs}/msedge_crashpad_handler rpx, + + @{lib_dirs}/*.so* mr, + @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + + owner @{user_cache_dirs}/Microsoft/** rwk, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/msedge-crashpad-handlers b/apparmor.d/profiles-m-r/msedge-crashpad-handlers new file mode 100644 index 000000000..c9572f502 --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge-crashpad-handlers @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} +@{config_dirs} = @{user_config_dirs}/microsoft-edge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/msedge_crashpad_handler +profile msedge-crashpad-handler /opt/microsoft/msedge{,-beta,-dev}/msedge_crashpad_handler { + include + + capability sys_ptrace, + + ptrace peer=msedge, + signal (send) peer=msedge, + + @{exec_path} mrix, + + owner "@{config_dirs}/Crash Reports/**" rwk, + + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/mem r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/task/ r, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/msedge-sandbox b/apparmor.d/profiles-m-r/msedge-sandbox new file mode 100644 index 000000000..e113c586d --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge-sandbox @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/msedge-sandbox +profile msedge-sandbox /opt/microsoft/msedge{,-beta,-dev}/msedge-sandbox { + include + + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_resource, + + @{exec_path} mr, + + @{lib_dirs}/msedge{,-beta,-dev} rpx, + + @{PROC} r, + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/msedge-wrapper b/apparmor.d/profiles-m-r/msedge-wrapper new file mode 100644 index 000000000..3b90f3992 --- /dev/null +++ b/apparmor.d/profiles-m-r/msedge-wrapper @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = /opt/microsoft/msedge{,-beta,-dev} + +@{exec_path} = @{lib_dirs}/microsoft-edge{,-beta,-dev} +profile msedge-wrapper /opt/microsoft/msedge{,-beta,-dev}/microsoft-edge{,-beta,-dev} flags=(attach_disconnected) { + include + include + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/dirname rix, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, + + @{lib_dirs}/msedge rpx, + + owner @{user_config_dirs}/msedge-flags.conf r, + + owner @{PROC}/@{pid}/fd/* rw, + + # File Inherit + owner @{HOME}/.xsession-errors w, + + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +}