diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index be07256ae..69273720e 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -48,6 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, + owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e349d85c1..171a93338 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -17,8 +17,8 @@ profile gnome-session @{exec_path} { @{shells_path} rix, @{bin}/cat rix, - @{bin}/gettext.sh r, @{bin}/gettext rix, + @{bin}/gettext.sh r, @{bin}/grep rix, @{bin}/head rix, @{bin}/id rix, @@ -28,6 +28,7 @@ profile gnome-session @{exec_path} { @{bin}/readlink rix, @{bin}/realpath rix, @{bin}/sed rix, + @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rPx, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 2ebff5ddf..f5652135a 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -109,9 +109,12 @@ profile gnome-software @{exec_path} { owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, @{run}/systemd/inhibit/*.ref rw, + @{run}/systemd/sessions/@{int} r, + @{run}/systemd/users/@{uid} r, @{sys}/module/nvidia/version r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pids}/mounts r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 6b2544a84..cc08462e8 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -39,9 +39,11 @@ profile org.gnome.NautilusPreviewer @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + @{PROC}/devices r, @{PROC}/@{pid}/cgroup r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cmdline r, @@ -51,6 +53,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/media@{int} r, + /dev/nvidia-uvm rw, include if exists } diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index a49f28b47..9ebdd9fe8 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -87,8 +87,10 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, @{PROC}/sys/fs/fanotify/max_user_marks r, @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/vm/mmap_min_addr r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, /dev/video@{int} rw, diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index fc14b9536..33cf23a9b 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kreadconfig5 profile kreadconfig @{exec_path} { include + include capability dac_read_search, @@ -16,14 +17,8 @@ profile kreadconfig @{exec_path} { @{exec_path} mr, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, /etc/xdg/kioslaverc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, - include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index c4337d77a..0a6ae6246 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -35,9 +35,18 @@ profile cockpit-bridge @{exec_path} { @{exec_path} mr, - @{bin}/journalctl rPx, - @{lib}/cockpit/cockpit-pcp rPx, - @{lib}/cockpit/cockpit-ssh rPx, + @{bin}/cat ix, + @{bin}/date ix, + @{bin}/findmnt Px, + @{bin}/journalctl Px, + @{bin}/python3.@{int} ix, + @{bin}/ssh-agent Px, + @{bin}/sudo Px, # TODO: rCx -> privilieged ? or rix? + @{lib}/cockpit/cockpit-pcp Px, + @{lib}/cockpit/cockpit-ssh Px, + + # The shell is not confined on purpose. + @{bin}/@{shells} Ux, /usr/share/cockpit/{,**} r, /usr/{,local/}share/ r, @@ -64,6 +73,7 @@ profile cockpit-bridge @{exec_path} { @{sys}/fs/cgroup/**/ r, @{sys}/fs/cgroup/**/cpu.{stat,weight} r, @{sys}/fs/cgroup/**/memory* r, + @{sys}/kernel/kexec_crash_size r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 1dd15b4b9..b3cd7e34b 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -31,7 +31,8 @@ profile element-desktop @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{open_path} rPx -> child-open-strict, + @{open_path} rPx -> child-open-strict, + @{bin}/xdg-settings rPx, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index f79a3464e..4315fb6e5 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -43,6 +43,8 @@ profile keepassxc @{exec_path} { /etc/fstab r, + @{bin}/ r, + owner @{HOME}/ r, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/@{XDG_SSH_DIR}/ r, diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index 235c256a7..c9dc12ba1 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -11,42 +11,31 @@ include profile pinentry-kwallet @{exec_path} { include include - include + include signal (send) set=(term, kill) peer=gpg-agent, @{exec_path} mr, - @{bin}/pinentry-* rPx, - - @{bin}/kwalletcli_getpin rix, - @{bin}/kwalletcli rCx -> kwalletcli, - - # when wrong PIN is provided @{bin}/date rix, - - @{bin}/mksh rix, @{bin}/env rix, - - owner @{HOME}/.Xauthority r, - - /usr/share/hwdata/pnp.ids r, - + @{bin}/kwalletcli rCx -> kwalletcli, + @{bin}/kwalletcli_getpin rix, + @{bin}/mksh rix, + @{bin}/pinentry-* rPx, profile kwalletcli { include + include @{bin}/kwalletcli mr, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwalletrc r, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - owner @{HOME}/.Xauthority r, - - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/kwalletrc r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index 43964d950..3052736b6 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -28,8 +28,6 @@ profile qt5ct @{exec_path} { owner @{user_config_dirs}/fontconfig/** rw, owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int}, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 5d773292d..19bf0e9c2 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -34,9 +34,8 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/machine-id r, - owner @{user_books_dirs}/{,**} r, + owner @{user_books_dirs}/{,**} rw, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, - owner @{user_books_dirs}/**/None rw, owner @{user_cache_dirs}/YACReader/ rw, owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw, diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch index 877181b61..11c7b76b2 100644 --- a/apparmor.d/profiles-s-z/steam-launch +++ b/apparmor.d/profiles-s-z/steam-launch @@ -23,6 +23,7 @@ profile steam-launch @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/cmp rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env rix, @@ -33,6 +34,8 @@ profile steam-launch @{exec_path} { @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, + @{runtime_dirs}/@{arch}/steam-runtime-steam-remote rPUx, + /usr/ r, /usr/local/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index 85c1a08cb..a401173f1 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{lib_dirs}/vaapitest -profile thunderbird-vaapitest @{exec_path} { +profile thunderbird-vaapitest @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index 250a6a731..8da427a64 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 odomingao # SPDX-License-Identifier: GPL-2.0-only diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis index 330957a62..e7bc743a5 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -30,7 +30,7 @@ profile whereis @{exec_path} { /opt/cni/bin/ r, /opt/containerd/bin/ r, - /etc/ r, + @{etc_ro}/ r, /snap/bin/ r, /var/lib/flatpak/exports/bin/ r,