diff --git a/apparmor.d/groups/desktop/accounts-daemon b/apparmor.d/groups/desktop/accounts-daemon index b61a53e32..22ea486e2 100644 --- a/apparmor.d/groups/desktop/accounts-daemon +++ b/apparmor.d/groups/desktop/accounts-daemon @@ -23,7 +23,7 @@ profile accounts-daemon @{exec_path} { @{exec_path} mr, /usr/share/accountsservice/{,**} r, - /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r, + /usr/share/dbus-1/interfaces/*.xml r, /etc/gdm/ r, /etc/gdm/custom.conf rw, diff --git a/apparmor.d/groups/desktop/colord b/apparmor.d/groups/desktop/colord index e92650958..cf5e5daae 100644 --- a/apparmor.d/groups/desktop/colord +++ b/apparmor.d/groups/desktop/colord @@ -41,7 +41,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP}-*/{enabled,edid} r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 186b7dbce..4104f53e3 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -33,6 +33,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=passwd, @{exec_path} mr, + + /{usr/,}bin/bash rUx, /{usr/,}bin/bwrap rPUx, /{usr/,}bin/gcm-viewer rix, /{usr/,}bin/locale rix, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index d1d0a6b02..1372f8ff8 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,11 +14,9 @@ profile gvfsd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - - # Don't strip env here. - /{usr/,}lib/gvfs/gvfsd-* rpx, - @{libexec}/gvfsd-* rpx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}lib/gvfs/gvfsd-* rpx, + @{libexec}/gvfsd-* rpx, /usr/share/gvfs/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index fbed03e51..804e5e9e2 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -41,17 +41,18 @@ profile systemd-journald @{exec_path} { @{run}/host/container-manager r, - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/c10:224 r, # for /dev/tpm0 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+hid:* r, @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+scsi:* r, @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+usb-serial:* r, + @{run}/udev/data/+hid:* r, + @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform* r, + @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+usb-serial:* r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c10:224 r, # for /dev/tpm0 + @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c24[0-9]:[0-9]* r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index f4578f7af..5aa0e8c9e 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -7,9 +7,10 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-oomd -profile systemd-oomd @{exec_path} { +profile systemd-oomd @{exec_path} flags=(attach_disconnected) { include include + include capability dac_override, capability kill, @@ -18,7 +19,13 @@ profile systemd-oomd @{exec_path} { /etc/systemd/oomd.conf r, + owner @{run}/systemd/notify rw, + owner @{run}/systemd/journal/socket w, + @{run}/systemd/io.system.ManagedOOM rw, + @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/memory.pressure r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, @{PROC}/pressure/{cpu,io,memory} r, diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index 3fb6943d6..a3c0bc9e1 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -15,10 +15,14 @@ profile systemd-random-seed @{exec_path} { @{exec_path} mr, + /etc/machine-id r, + /var/lib/systemd/ r, /var/lib/systemd/random-seed rw, @{PROC}/sys/kernel/random/poolsize r, + /dev/urandom w, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 8d84f87a4..870083ca4 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -1,17 +1,19 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-3.0-only abi , + include @{exec_path} = /{usr/,}lib/systemd/systemd-resolved -profile systemd-resolved @{exec_path} { +profile systemd-resolved @{exec_path} flags=(attach_disconnected) { include + include include include include + include capability net_bind_service, capability net_raw, @@ -28,20 +30,13 @@ profile systemd-resolved @{exec_path} { @{exec_path} mr, - # Runtime directories - /{,var/}run/systemd/netif/links/* r, - /{,var/}run/systemd/resolve/{,**} rw, - - # Config /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - # Proc - owner @{PROC}/*/stat r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/hostname r, - @{PROC}/sys/kernel/osrelease r, + owner @{run}/systemd/journal/socket w, + owner @{run}/systemd/notify rw, + @{run}/systemd/netif/links/* r, + @{run}/systemd/resolve/{,**} rw, - # System access - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 9f0e8d1d1..15168efde 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,13 +8,11 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd -profile systemd-timesyncd @{exec_path} { +profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { include - include include - - network inet dgram, - network inet6 dgram, + include + include capability sys_time, @@ -29,6 +27,8 @@ profile systemd-timesyncd @{exec_path} { owner /var/lib/systemd/timesync/clock rw, + owner @{run}/systemd/journal/socket w, + owner @{run}/systemd/notify rw, owner @{run}/systemd/timesync/synchronized rw, @{run}/systemd/netif/state r, @{run}/resolvconf/*.conf r, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 4463dde8f..b652795eb 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -20,6 +20,7 @@ profile systemd-update-utmp @{exec_path} { @{exec_path} mr, @{run}/host/container-manager r, + @{run}/systemd/private rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 000b4ce4c..e75165f5b 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -23,6 +23,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /var/cache/apparmor/{,**} rw, owner /var/lib/docker/tmp/docker-default[0-9]* r, + owner /var/lib/snapd/apparmor/{,**} r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, @{sys}/kernel/security/apparmor/{,**} r, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 9197e59bf..29c4937ad 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -16,8 +16,9 @@ profile appstreamcli @{exec_path} flags=(complain) { @{exec_path} mr, - # For file validation using the network /{usr/,}bin/curl rCx -> curl, + /{usr/,}bin/gzip rix, + /{usr/,}bin/tar rix, /usr/share/appdata/ r, /usr/share/applications/{,*.desktop} r, @@ -33,15 +34,16 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, owner @{user_share_dirs}/mime/mime.cache r, + /var/lib/app-info/ w, /var/lib/app-info/yaml/ r, /var/lib/app-info/yaml/*_Components-*.yml.gz w, - /var/lib/app-info/ w, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_Components-*.gz r, + /var/lib/flatpak/appstream/{,**} r, /var/lib/swcatalog/ rw, + /var/lib/swcatalog/icons/{,**} rw, /var/lib/swcatalog/yaml/ rw, /var/lib/swcatalog/yaml/*_Components-*.yml.gz w, - /var/lib/flatpak/appstream/{,**} r, /var/cache/swcatalog/cache/{,**} rw, owner /var/cache/app-info/{,**} rw, diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index f0533ffb7..81074daa5 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/auditd -profile auditd @{exec_path} { +profile auditd @{exec_path} flags=(attach_disconnected) { include include @@ -29,7 +29,8 @@ profile auditd @{exec_path} { owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, - @{run}/systemd/userdb/ r, + @{run}/systemd/journal/dev-log w, + @{run}/systemd/userdb/ r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 79756895c..1c98015f9 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -19,8 +19,11 @@ profile etckeeper @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, /{usr/,}bin/cut rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/find rix, /{usr/,}bin/getent rix, @@ -34,9 +37,11 @@ profile etckeeper @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, + /{usr/,}bin/tail rix, /{usr/,}bin/tty rix, /{usr/,}bin/uniq rix, /{usr/,}bin/whoami rix, + /{usr/,}bin/xargs rix, /{usr/,}lib/git-core/git* rix, /etc/.git/hooks/* rix, @@ -54,7 +59,7 @@ profile etckeeper @{exec_path} { @{run}/resolvconf/resolv.conf r, - owner /tmp/etckeeper-git* rw, + /tmp/etckeeper-git* rw, profile gpg { include diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 0b0258696..aaf73fd10 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,6 +14,7 @@ profile fsck @{exec_path} { capability dac_override, capability dac_read_search, + capability sys_rawio, @{exec_path} mr, @@ -21,19 +23,20 @@ profile fsck @{exec_path} { /etc/fstab r, - @{PROC}/partitions r, - owner @{PROC}/@{pid}/mountinfo r, - - owner @{run}/fsck/ rw, - owner @{run}/fsck/*.lock rwk, - # When a mount dir is passed to fsck as an argument. @{MOUNTS}/*/ r, /boot/ r, /home/ r, + owner @{run}/fsck/ rw, + owner @{run}/fsck/*.lock rwk, owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{run}/systemd/fsck.progress w, + @{run}/mount/utab r, + + @{PROC}/@{pids}/mountinfo r, + @{PROC}/partitions r, include if exists } diff --git a/apparmor.d/profiles-a-f/fsck-fat b/apparmor.d/profiles-a-f/fsck-fat index 46fca2941..993475b67 100644 --- a/apparmor.d/profiles-a-f/fsck-fat +++ b/apparmor.d/profiles-a-f/fsck-fat @@ -20,5 +20,7 @@ profile fsck-fat @{exec_path} { owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner @{run}/systemd/fsck.progress rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index fbfe19702..471ab9f3b 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -86,6 +86,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/[0-9]* rw, /dev/drm_dp_aux[0-9]* rw, + /dev/hidraw[0-9]* rw, /dev/mei[0-9]* rw, /dev/mem r, /dev/sd[a-z]* r, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index eb8f03e0b..79e1e553d 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -56,6 +56,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, @{PROC}/@{pids}/oom_score r, diff --git a/apparmor.d/profiles-g-l/less b/apparmor.d/profiles-g-l/less deleted file mode 100644 index 8602c4c83..000000000 --- a/apparmor.d/profiles-g-l/less +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ -# 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only - -abi , - -include - -@{exec_path} = /{usr/,}bin/less -profile less @{exec_path} { - include - include - - capability dac_read_search, - capability dac_override, - - @{exec_path} mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/source-highlight rix, - /{usr/,}bin/src-hilite-lesspipe.sh rix, - - @{system_share_dirs}/terminfo/{,**} r, - - @{user_cache_dirs}/lesshs* rw, - owner /root/.lesshs* rw, - - /{,**} r, - deny /{,**} w, - - include if exists -} diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 7be09a458..ee622d5ab 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -67,51 +68,47 @@ profile run-parts @{exec_path} { /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/mv rix, /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/kmod rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/tr rix, /{usr/,}bin/uname rix, /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/kmod rix, - - /{usr/,}bin/dpkg rPx -> child-dpkg, - - /{usr/,}sbin/dkms rPx, - /{usr/,}sbin/update-initramfs rPx, - /{usr/,}lib/dkms/dkms_autoinstaller rPx, - /{usr/,}bin/apt-config rPx, - - # (#FIXME#) + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}lib/dkms/dkms_autoinstaller rPx, + /{usr/,}sbin/dkms rPx, /{usr/,}sbin/update-grub rPUx, - /{usr/,}bin/systemd-detect-virt rPUx, + /{usr/,}sbin/update-initramfs rPx, + + /{usr/,}lib/modules/*/updates/ w, + /{usr/,}lib/modules/*/updates/dkms/ w, # For shell pwd / r, /boot/ r, - + /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - - # For kmod - @{PROC}/cmdline r, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, - /{usr/,}lib/modules/*/updates/ w, - /{usr/,}lib/modules/*/updates/dkms/ w, + + @{run}/reboot-required.pkgs w, @{PROC}/devices r, + @{PROC}/cmdline r, } diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index c8ebcc872..78f2424e2 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -13,6 +13,7 @@ profile scrcpy @{exec_path} { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 90bebb8b7..ea2d98de7 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -22,6 +22,7 @@ profile swtpm_setup @{exec_path} { /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, owner /tmp/swtpm_setup.certs.*/ w, + owner /tmp/swtpm_setup.certs.*/*.cert rw, owner /tmp/.swtpm_setup.pidfile* rw, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 5439336f7..d197e1a31 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -102,6 +102,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/net/route r, + /dev/media[0-9]* r, /dev/video[0-9]* rw, # Silence the noise diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal b/apparmor.d/profiles-s-z/xdg-desktop-portal index a6b7dcfa7..1c25e8192 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal @@ -9,8 +9,9 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include - include + include include + include capability sys_ptrace, @@ -40,8 +41,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/applications/{**,} r, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome index a64210e79..18ef020e2 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include + include include include include @@ -19,10 +20,8 @@ profile xdg-desktop-portal-gnome @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/{,**} r, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, - - include owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk index 09bd2b382..27fb6a9e7 100644 --- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk +++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include @@ -27,12 +28,10 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.* r, owner @{HOME}/@{XDG_DATA_HOME}/ r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - - include owner @{run}/user/@{uid}/dconf/user rw, - - @{run}/mount/utab r, + @{run}/mount/utab r, owner @{PROC}/@{uid}/mountinfo r,