diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index 1e53a5a75..7befe1789 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,8 +13,6 @@ profile at-spi-bus-launcher @{exec_path} { include include - # Needed? - deny capability sys_nice, signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 5345b4003..40d1442ec 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/tracker-miner-fs-3 +@{exec_path} = /{usr/,}lib/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include include diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 506d5ab8c..94c163365 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -63,6 +63,7 @@ profile pacman @{exec_path} { /{usr/,}bin/vercmp rix, /{usr/,}bin/xmlcatalog rix, /{usr/,}lib/ghc-*/bin/ghc-pkg rix, + /{usr/,}bin/appstreamcli rPx, /{usr/,}bin/arch-audit rPx, /{usr/,}bin/archlinux-java rPx, /{usr/,}bin/bootctl rPx, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 15842940c..fd13cfc86 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,43 +12,42 @@ profile appstreamcli @{exec_path} flags=(complain) { include include + capability dac_read_search, + @{exec_path} mr, - # For file valudation using the network + # For file validation using the network /{usr/,}bin/curl rCx -> curl, - /etc/appstream.conf r, + /usr/share/appdata/ r, + /usr/share/applications/{,*.desktop} r, + /usr/share/metainfo/ r, + /usr/share/metainfo/*.{metainfo,appdata}.xml r, + /usr/share/mime/mime.cache r, - owner @{PROC}/@{pid}/fd/ r, + /etc/appstream.conf r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/appstream-cache-*.mdb rw, owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, - - /usr/share/appdata/ r, + owner @{user_share_dirs}/mime/mime.cache r, + /var/lib/app-info/yaml/ r, /var/lib/app-info/yaml/*_Components-*.yml.gz w, + /var/lib/apt/lists/ r, + /var/lib/apt/lists/*_Components-*.gz r, + /var/lib/flatpak/appstream/{,**} r, + /var/cache/swcatalog/cache/{,**} rw, owner /var/cache/app-info/{,**} rw, owner /tmp/appstream-cache-*.mdb rw, owner /tmp/appstream/ rw, owner /tmp/appstream/appcache-*.mdb rw, - owner @{user_share_dirs}/mime/mime.cache r, - /usr/share/mime/mime.cache r, - - /usr/share/applications/{,*.desktop} r, - - /usr/share/metainfo/ r, - /usr/share/metainfo/*.{metainfo,appdata}.xml r, - - /var/lib/apt/lists/ r, - /var/lib/apt/lists/*_Components-*.gz r, - - # file_inherit /var/log/cron-apt/temp w, + owner @{PROC}/@{pid}/fd/ r, profile curl { include diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index b2fb30320..55251feee 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -17,6 +17,9 @@ profile sysctl @{exec_path} { @{exec_path} mr, + /etc/sysctl.d/{,**} r, + /usr/lib/sysctl.d/{,**} r, + @{PROC}/sys/ r, @{PROC}/sys/** rw,