From ed0b11212d6d0b03853a6b193ce223496787d887 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 9 Oct 2022 16:23:06 +0300 Subject: [PATCH] polishing --- apparmor.d/groups/bus/dbus-daemon | 1 + apparmor.d/groups/bus/ibus-daemon | 7 ++--- apparmor.d/groups/bus/ibus-dconf | 1 - apparmor.d/groups/bus/ibus-extension-gtk3 | 5 ++-- apparmor.d/groups/bus/ibus-portal | 4 +-- apparmor.d/groups/freedesktop/accounts-daemon | 30 ++++++++++++++----- apparmor.d/groups/freedesktop/geoclue | 2 ++ .../groups/freedesktop/xdg-permission-store | 1 + .../groups/freedesktop/xdg-user-dirs-update | 9 ++++++ .../groups/gnome/evolution-calendar-factory | 3 +- apparmor.d/groups/gnome/gjs-console | 14 +++++---- apparmor.d/groups/gnome/gnome-control-center | 14 +++++++-- .../groups/gnome/gnome-remote-desktop-daemon | 5 +++- apparmor.d/groups/gnome/gnome-session-binary | 4 ++- apparmor.d/groups/gnome/gnome-shell | 9 ++++-- apparmor.d/groups/gnome/gsd-smartcard | 3 ++ apparmor.d/groups/gnome/nautilus | 9 +++--- apparmor.d/groups/gvfs/gvfsd-metadata | 6 ++-- apparmor.d/groups/gvfs/gvfsd-smb-browse | 3 ++ apparmor.d/groups/network/ModemManager | 3 ++ apparmor.d/groups/systemd/systemd-hostnamed | 7 +++-- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- apparmor.d/profiles-a-f/appstreamcli | 2 ++ .../profiles-a-f/cc-remote-login-helper | 17 +++++++++++ apparmor.d/profiles-g-l/logrotate | 0 apparmor.d/profiles-m-r/man | 10 +++++-- apparmor.d/profiles-m-r/passwd | 2 ++ apparmor.d/profiles-m-r/pkexec | 1 + apparmor.d/profiles-s-z/useradd | 3 +- 29 files changed, 129 insertions(+), 48 deletions(-) create mode 100644 apparmor.d/profiles-a-f/cc-remote-login-helper mode change 100755 => 100644 apparmor.d/profiles-g-l/logrotate diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index f72ff9b37..595dd7854 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -48,6 +48,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + /usr/share/gnome-documents/org.gnome.Documents rPx, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index c25a59d53..e95977c8d 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -39,11 +39,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.portal.IBus, + dbus bind bus=session name=org.freedesktop.portal.IBus, - dbus bind bus=session - name=org.freedesktop.IBus, + dbus bind bus=session name=org.freedesktop.IBus, @{exec_path} mr, @@ -57,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/ibus/{,**} rw, + /var/lib/gdm{3,}/.config/ibus/{,**} rw, /var/lib/gdm{3,}/.cache/ibus/{,**} rw, /var/lib/gdm{3,}/.config/ibus/bus/ r, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index f01866351..a91d39b36 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -38,7 +38,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, - /var/lib/gdm{3,}/.cache/dconf/ w, /var/lib/gdm{3,}/.cache/dconf/user rw, /var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 3d9f42fca..ffa33add8 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -8,7 +8,7 @@ include @{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3 @{exec_path} += @{libexec}/ibus-extension-gtk3 -profile ibus-extension-gtk3 @{exec_path} { +profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include @@ -62,8 +62,7 @@ profile ibus-extension-gtk3 @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.IBus.Panel.Extension.Gtk3, + dbus bind bus=session name=org.freedesktop.IBus.Panel.Extension.Gtk3, @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 13f627d5e..40c874914 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -25,8 +25,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.freedesktop.portal.IBus, + dbus bind bus=session name=org.freedesktop.portal.IBus, @{exec_path} mr, @@ -42,7 +41,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, - /dev/null rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 8275e7fc1..d0b8e8a36 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -44,16 +44,22 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/language-tools/language-validate rPx, + /{usr/,}bin/cat rix, + + /{usr/,}{s,}bin/adduser rPx, + /{usr/,}{s,}bin/usermod rPx, + /{usr/,}{s,}bin/userdel rPx, + /{usr/,}bin/passwd rPx, + /{usr/,}bin/chage rPx, + /usr/share/language-tools/language-validate rPx, /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, /etc/default/locale r, /etc/gdm{3,}/ r, - /etc/gdm{3,}/daemon.conf r, - /etc/gdm{3,}/custom.conf rw, - /etc/gdm{3,}/custom.conf.* rw, + @{etc_rw}/gdm{3,}/daemon.conf{,.??????} rw, + @{etc_rw}/gdm{3,}/custom.conf{,.??????} rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, @@ -63,10 +69,18 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{HOME}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + # wtmp.d ? + /var/log/wtmp r, + + owner /tmp/gnome-control-center-user-icon-?????? rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 308e1502c..2d2c5956e 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/geoclue profile geoclue @{exec_path} flags=(attach_disconnected) { include + include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index e5c36cd5a..f43e7e010 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -51,6 +51,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/notifications rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 21d5c2ae0..3f3bb8cc0 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -26,6 +26,15 @@ profile xdg-user-dirs-update @{exec_path} { /var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw, /var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ rw, + owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ rw, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ rw, + owner @{HOME}/@{XDG_MUSIC_DIR}/ rw, + owner @{HOME}/@{XDG_PICTURES_DIR}/ rw, + owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ rw, + owner @{HOME}/@{XDG_TEMPLATES_DIR}/ rw, + owner @{HOME}/@{XDG_VIDEOS_DIR}/ rw, + owner @{user_config_dirs}/user-dirs.dirs r, include if exists diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 1d4ac9913..2de9c0370 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -34,8 +34,7 @@ profile evolution-calendar-factory @{exec_path} { dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**} interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*}, - dbus bind bus=session - name=org.gnome.evolution.dataserver.Calendar[0-9], + dbus bind bus=session name=org.gnome.evolution.dataserver.Calendar[0-9]*, @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 76a4af2c6..53ce4cec3 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -66,20 +66,19 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gnome.ScreenSaver, + dbus bind bus=session name=org.gnome.ScreenSaver, - dbus bind bus=session - name=org.freedesktop.Notifications, + dbus bind bus=session name=org.freedesktop.Notifications, - dbus bind bus=session - name=org.gnome.Shell.Notifications, + dbus bind bus=session name=org.gnome.Shell.Notifications, @{exec_path} mr, /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rPUx, @{libexec}/** rPUx, + /etc/openni2/OpenNI.ini r, + /usr/share/dconf/profile/gdm r, /usr/share/egl/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, @@ -92,6 +91,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, + /tmp/ r, + /var/tmp/ r, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b211ff1e0..a0f57025b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -74,16 +74,21 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{libexec}/gnome-control-center-goa-helper rPx, @{libexec}/gnome-control-center-print-renderer rPx, + /{usr/,}bin/gnome-software rPUx, + /{usr/,}bin/gkbd-keyboard-display rPUx, /{usr/,}bin/bwrap rPUx, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, /{usr/,}bin/software-properties-gtk rPx, + /{usr/,}bin/pkexec rPx, + /{usr/,}{s,}bin/usermod rPx, /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, /snap/*/[0-9]*/**.png r, /usr/share/backgrounds/{,**} r, + /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/cups/data/testprint r, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -93,10 +98,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-control-center/{,**} r, /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, - /usr/share/ubuntu/applications/{,*} r, + /usr/share/*ubuntu/applications/{,*} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, @@ -104,6 +110,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /etc/pipewire/client.conf.d/ r, /etc/security/pwquality.conf r, /etc/security/pwquality.conf.d/{,**} r, + /etc/rygel.conf r, /etc/fstab r, /etc/machine-id r, @@ -112,6 +119,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/ r, /var/cache/samba/ rw, + /var/lib/AccountsService/icons/* r, + /var/cache/cracklib/cracklib_dict.* r, owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -119,7 +128,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, - owner @{user_config_dirs}/mimeapps.list.* rw, + owner @{user_config_dirs}/mimeapps.list* rw, + owner @{user_config_dirs}/rygel.conf{,.??????} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/sounds/__custom/{,*} rw, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index fb3abe8db..353cbab4b 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -19,5 +19,8 @@ profile gnome-remote-desktop-daemon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 0a3310d01..4175bfd51 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -165,11 +165,12 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-user-dirs-update rPx, /{usr/,}bin/parcellite rPUx, /{usr/,}bin/baloo_file rPUx, -# /{usr/,}bin/gnome-software rPUx, + /{usr/,}bin/gnome-software rPUx, /{usr/,}share/libpam-kwallet-common/pam_kwallet_init rPUx, /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx, /{usr/,}lib/@{multiarch}/libexec/kdeconnectd rPUx, /{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, + /{usr/,}lib/caribou/caribou rPUx, @{libexec}/deja-dup/deja-dup-monitor rPUx, @{libexec}/at-spi-bus-launcher rPx, @{libexec}/evolution-data-server/evolution-alarm-notify rPx, @@ -219,6 +220,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/mimeinfo.cache r, owner @{user_share_dirs}/session_migration-ubuntu r, + owner @{user_share_dirs}/gnome-shell/gnome-overrides-migrated rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f78c979cb..731d20d62 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -485,6 +485,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/desktop-directories/{,*.directory} r, /usr/share/egl/{,**} r, /usr/share/evolution-data-server/icons/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, @@ -495,7 +496,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /usr/share/libinput/[0-9][0-9]-*.quirks r, /usr/share/libwacom/{,*.stylus,*.tablet} r, /usr/share/plymouth/*.png r, - /usr/share/ubuntu/applications/{,*.desktop} r, + /usr/share/*ubuntu/applications/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/desktop-base/** r, @@ -504,7 +505,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/xdg/menus/gnome-applications.menu r, - /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, @@ -523,6 +523,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.local/share/gnome-shell/ rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/AccountsService/icons/* r, + /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r, @@ -546,6 +548,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, + owner @{user_cache_dirs}/libgweather/ w, owner @{user_cache_dirs}/libgweather/{,**} r, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, @@ -626,6 +629,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, + owner @{user_share_dirs}/sounds/__custom/index.theme r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 6eb8f8bee..857f2cdcb 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -73,6 +73,9 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/tmp/ r, + /tmp/ r, + owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e74728041..ed9b0dea4 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -29,11 +29,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member={IsSupported,List} peer=(name=:*), - dbus bind bus=session - name=org.gnome.Nautilus, + dbus bind bus=session name=org.gnome.Nautilus, - dbus bind bus=session - name=org.freedesktop.FileManager1, + dbus bind bus=session name=org.freedesktop.FileManager1, @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -44,7 +42,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/thumbnailers/{,**} r, /usr/share/tracker3/{,**} r, - /usr/share/ubuntu/applications/{,**} r, + /usr/share/*ubuntu/applications/{,**} r, + /usr/share/tracker/domain-ontologies/*.rule r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 6726e5149..f9c52d868 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -3,7 +3,6 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , include @@ -37,11 +36,12 @@ profile gvfsd-metadata @{exec_path} { member={GetTreeFromDevice,Remove} peer=(name=:*, label=gnome-shell), - dbus bind bus=session - name=org.gtk.vfs.Metadata, + dbus bind bus=session name=org.gtk.vfs.Metadata, @{exec_path} mr, + /var/lib/gdm{3,}/.local/share/gvfs-metadata/{,*} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} rw, owner @{HOME}/.var/app/*/data/gvfs-metadata/{,*} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index c9572909b..a3f586013 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -56,7 +56,10 @@ profile gvfsd-smb-browse @{exec_path} { /etc/samba/smb.conf r, owner @{run}/samba/ rw, + owner @{run}/samba/gencache.tdb rwk, owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{user_cache_dirs}/samba/gencache.tdb rwk, + include if exists } diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index e33b5f018..faf588a2a 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -51,6 +51,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, @{run}/udev/data/+platform* r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c189:[0-9]* r, @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n[0-9]* r, @@ -58,6 +60,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/*.ref rw, @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, @{sys}/class/ r, @{sys}/class/net/ r, @{sys}/class/tty/ r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index d282b0a80..7d1e172e7 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed -profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { +profile systemd-hostnamed @{exec_path} flags=(attach_disconnected complain) { include include include @@ -30,7 +30,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { member={Get,GetAll,SetHostname} peer=(name=:*), - dbus bind bus=system + dbus bind bus=system name=org.freedesktop.hostname[0-9], @{exec_path} mr, @@ -50,8 +50,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, /etc/.#hostname* rw, + /etc/.#machine-info?????? rw, /etc/hostname rw, - /etc/machine-info r, + /etc/machine-info rw, @{run}/udev/data/+dmi:id r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 3b6ea99d3..2f60b0ab2 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -31,7 +31,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{etc_rw}/adjtime r, + /etc/adjtime r, /etc/systemd/timesyncd.conf r, /etc/systemd/timesyncd.conf.d/{,**} r, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index bc053307e..59cff6756 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -38,6 +38,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/lib/app-info/ w, /var/lib/app-info/yaml/ r, /var/lib/app-info/yaml/*.yml.gz w, + /var/lib/app-info/icons/ r, /var/lib/apt/lists/ r, /var/lib/apt/lists/*.gz r, /var/lib/flatpak/appstream/{,**} r, @@ -65,6 +66,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /{usr/,}bin/curl mr, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper new file mode 100644 index 000000000..9cb8aab52 --- /dev/null +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/cc-remote-login-helper +profile cc-remote-login-helper @{exec_path} flags=(complain) { + include + + capability sys_nice, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate old mode 100755 new mode 100644 diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index 392735390..6318a569b 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/man profile man @{exec_path} { include + include signal peer=man//man_groff, signal peer=man//man_filter, @@ -41,11 +42,12 @@ profile man @{exec_path} { /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, - /usr/**/man/** r, - /var/**/man/** r, + /usr/**/man/{,**} r, + /var/**/man/{,**} r, /var/cache/man/index.db rk, /etc/man_db.conf r, + /etc/manpath.config r, /dev/tty r, @@ -75,6 +77,8 @@ profile man_groff { /tmp/groff* rw, owner /tmp/* rw, + + include if exists } profile man_filter { @@ -102,4 +106,6 @@ profile man_filter { owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, /var/cache/man/** w, + + include if exists } diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 9b9663e3e..ddf0118ee 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -20,6 +20,8 @@ profile passwd @{exec_path} { capability fsetid, capability setuid, + signal (receive) set=(term, kill) peer=gnome-control-center, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 9136dc223..e64ccd297 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -58,6 +58,7 @@ profile pkexec @{exec_path} flags=(complain) { /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /{usr/,}lib/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx, + @{libexec}/cc-remote-login-helper rPx, /etc/shells r, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 38db74ade..6c464b77e 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -36,7 +36,7 @@ profile useradd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/usermod rPx, + /{usr/,}{s,}bin/usermod rPx, /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, @@ -81,6 +81,7 @@ profile useradd @{exec_path} { /var/log/tallylog rw, + include if exists } include if exists