diff --git a/apparmor.d/groups/desktop/blueman b/apparmor.d/groups/desktop/blueman index 83a6c95a5..2c4ed9387 100644 --- a/apparmor.d/groups/desktop/blueman +++ b/apparmor.d/groups/desktop/blueman @@ -76,7 +76,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - @{run}/user/1000/gdm/Xauthority r, + @{run}/user/@{uid}/gdm/Xauthority r, # file_inherit /dev/dri/card[0-9]* rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 84f0707f1..58fdbaaee 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -42,7 +42,8 @@ profile ssh-agent @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - @{run}/user/1000/keyring/.ssh rw, + @{run}/user/@{uid}/keyring/.ssh rw, + @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 7bc99e10a..b9ce3dfbd 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -22,7 +22,6 @@ profile systemd-tmpfiles @{exec_path} { /etc/machine-id r, /etc/brlapi.key w, - /usr/share/factory/{,**} r, # Config file locations /etc/tmpfiles.d/{,*.conf} r, @@ -35,13 +34,14 @@ profile systemd-tmpfiles @{exec_path} { # Where the tmpfiles can be created, /{,*} rw, - /home/ rw, /dev/{,**} rw, - /var/{,**} rwk, - /run/{,**} rw, - /tmp/{,**} rwk, - /srv/{,**} rw, /etc/{,**} r, + /home/ rw, + /run/{,**} rw, + /srv/{,**} rw, + /tmp/{,**} rwk, + /usr/{,**} rw, + /var/{,**} rwk, @{run}/systemd/userdb/ r, @{sys}/devices/system/cpu/microcode/reload w, diff --git a/apparmor.d/profiles-m-z/mission-control b/apparmor.d/profiles-m-z/mission-control index 2e3e8525d..dcd8d6b00 100644 --- a/apparmor.d/profiles-m-z/mission-control +++ b/apparmor.d/profiles-m-z/mission-control @@ -21,7 +21,7 @@ profile mission-control @{exec_path} { owner @{user_share_dirs}/telepathy/mission-control/*.cfg r, - @{run}/user/1000/dconf/user rw, + @{run}/user/@{uid}/dconf/user rw, @{run}/systemd/inhibit/[0-9]*.ref rw, include if exists diff --git a/apparmor.d/profiles-m-z/pulseaudio b/apparmor.d/profiles-m-z/pulseaudio index e99ed3f31..12b317988 100644 --- a/apparmor.d/profiles-m-z/pulseaudio +++ b/apparmor.d/profiles-m-z/pulseaudio @@ -67,8 +67,8 @@ profile pulseaudio @{exec_path} { @{run}/systemd/users/@{uid} r, - @{run}/user/1000/dconf/user rw, - @{run}/user/1000/ICEauthority r, + @{run}/user/@{uid}/dconf/user rw, + @{run}/user/@{uid}/ICEauthority r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd index af9a9539b..6f07181da 100644 --- a/apparmor.d/profiles-m-z/udisksd +++ b/apparmor.d/profiles-m-z/udisksd @@ -125,11 +125,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /var/lib/udisks2/ r, /var/lib/udisks2/mounted-fs{,*} rw, - @{run}/udisks2/ rw, - @{run}/udisks2/loop{,.*} rw, - @{run}/udisks2/unlocked-luks{,.*} rw, - @{run}/udisks2/unlocked-crypto-dev{,.*} rw, - @{run}/udisks2/mounted-fs{,.*} rw, + @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat[0-9]* r, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/profiles-m-z/w b/apparmor.d/profiles-m-z/w index 773f34f37..230c7d65a 100644 --- a/apparmor.d/profiles-m-z/w +++ b/apparmor.d/profiles-m-z/w @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,6 +13,8 @@ profile w @{exec_path} { include include + capability sys_ptrace, + ptrace (read), @{exec_path} mr,