diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 90b709a31..9f2addf88 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,6 +47,11 @@ jobs: if [[ ${{ matrix.mode }} == full-system-policy ]]; then sed -e "s/just complain/just fsp-complain/" -i debian/rules fi + if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then + # Test with Re-attach disconnected path + sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go + sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system + fi bash dists/build.sh dpkg - name: Install apparmor.d diff --git a/Justfile b/Justfile index 64e333079..e434586c4 100644 --- a/Justfile +++ b/Justfile @@ -49,52 +49,44 @@ c := "--connect=qemu:///system" # VM prefix prefix := "aa-" -# Show this help message +[doc('Show this help message')] help: @just --list --unsorted @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." -# Build the go programs [group('build')] +[doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild -# Prebuild the profiles in enforced mode [group('build')] +[doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild --buildir {{build}} -# Prebuild the profiles in enforce mode (test) -enforce-test: build - @./{{build}}/prebuild --buildir {{build}} --test - -# Prebuild the profiles in complain mode [group('build')] +[doc('Prebuild the profiles in complain mode')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain -# Prebuild the profiles in complain mode (test) -complain-test: build - @./{{build}}/prebuild --buildir {{build}} --complain --test - -# Prebuild the profiles in FSP mode [group('build')] +[doc('Prebuild the profiles in FSP mode')] fsp: build @./{{build}}/prebuild --buildir {{build}} --full -# Prebuild the profiles in FSP mode (complain) [group('build')] +[doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build @./{{build}}/prebuild --buildir {{build}} --complain --full -# Prebuild the profiles in FSP mode (debug) [group('build')] +[doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --complain --full --debug -# Install prebuild profiles [group('install')] +[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -121,8 +113,8 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done -# Locally install prebuild profiles [group('install')] +[doc('Locally install prebuild profiles')] local +names: #!/usr/bin/env bash set -eu -o pipefail @@ -143,39 +135,39 @@ local +names: done; systemctl restart apparmor || sudo journalctl -xeu apparmor.service -# Prebuild, install, and load a dev profile [group('install')] +[doc('Prebuild, install, and load a dev profile')] dev name: go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service -# Build & install apparmor.d on Arch based systems [group('packages')] +[doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm -# Build & install apparmor.d on Debian based systems [group('packages')] +[doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb -# Build & install apparmor.d on OpenSUSE based systems [group('packages')] +[doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm -# Run the unit tests [group('tests')] +[doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out -# Run the linters [group('linter')] +[doc('Run the linters')] lint: golangci-lint run packer fmt tests/packer/ @@ -185,34 +177,34 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm -# Run style checks on the profiles [group('linter')] +[doc('Run style checks on the profiles')] check: @bash tests/check.sh -# Generate the man pages [group('docs')] +[doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md -# Build the documentation [group('docs')] +[doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict -# Serve the documentation [group('docs')] +[doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve -# Remove all build artifacts +[doc('Remove all build artifacts')] clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out -# Build the package in a clean OCI container [group('packages')] +[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -227,8 +219,8 @@ package dist: fi bash dists/docker.sh $dist $version -# Build the VM image [group('vm')] +[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -245,8 +237,8 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ -# Create the machine [group('vm')] +[doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @virt-install {{c}} \ @@ -265,53 +257,53 @@ create dist flavor: --sound model=ich9 \ --noautoconsole -# Start a machine [group('vm')] +[doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} -# Stops the machine [group('vm')] +[doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} -# Reboot the machine [group('vm')] +[doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} -# Destroy the machine [group('vm')] +[doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 -# Connect to the machine [group('vm')] +[doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` -# Mount the shared directory on the machine [group('vm')] +[doc('Mount the shared directory on the machine')] mount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' -# Unmout the shared directory on the machine [group('vm')] +[doc('Unmout the shared directory on the machine')] umount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' -# List the machines [group('vm')] +[doc('List the machines')] list: @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' -# List the VM images [group('vm')] +[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -328,8 +320,8 @@ images: } ' -# List the VM images that can be created [group('vm')] +[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail @@ -345,36 +337,36 @@ available: } ' -# Install dependencies for the integration tests [group('tests')] +[doc('Install dependencies for the integration tests')] init: @bash tests/requirements.sh -# Run the integration tests [group('tests')] +[doc('Run the integration tests')] integration name="": bats --recursive --timing --print-output-on-failure tests/integration/{{name}} -# Install dependencies for the integration tests (machine) [group('tests')] +[doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init -# Synchronize the integration tests (machine) [group('tests')] +[doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ -# Re-synchronize the integration tests (machine) [group('tests')] +[doc('Re-synchronize the integration tests (machine)')] tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ (umount dist flavor) -# Run the integration tests (machine) [group('tests')] +[doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ diff --git a/PKGBUILD b/PKGBUILD index a68ba817d..dfbb46735 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,15 +3,8 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgbase=apparmor.d -pkgname=( - apparmor.d - # apparmor.d.enforced - # apparmor.d.fsp apparmor.d.fsp.enforced - # apparmor.d.server apparmor.d.server.enforced - # apparmor.d.server.fsp apparmor.d.server.fsp.enforced -) -pkgver=0.0001 +pkgname=apparmor.d +pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -19,9 +12,10 @@ url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') +conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgbase" + cd "$srcdir/$pkgname" echo "0.$(git rev-list --count HEAD)" } @@ -30,104 +24,17 @@ prepare() { } build() { - cd "$srcdir/$pkgbase" + cd "$srcdir/$pkgname" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" - export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export DISTRIBUTION=arch - local -A modes=( - # Mapping of modes to just build target. - [default]=complain - # [enforced]=enforce - # [fsp]=fsp-complain - # [fsp.enforced]=fsp - # [server]=server-complain - # [server.enforced]=server - # [server.fsp]=server-fsp-complain - # [server.fsp.enforced]=server-fsp - ) - for mode in "${!modes[@]}"; do - just build=".build/$mode" "${modes[$mode]}" - done + just complain } -_conflicts() { - local mode="$1" - local pattern=".$mode" - if [[ "$mode" == "default" ]]; then - pattern="" - else - echo "$pkgbase" - fi - for pkg in "${pkgname[@]}"; do - if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then - continue - fi - echo "$pkg" - done -} - -_install() { - local mode="${1:?}" - cd "$srcdir/$pkgbase" - just build=".build/$mode" destdir="$pkgdir" install -} - -package_apparmor.d() { - mode=default - pkgdesc="$pkgdesc (complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.enforced() { - mode=enforced - pkgdesc="$pkgdesc (enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp() { - mode="fsp" - pkgdesc="$pkgdesc (FSP mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp.enforced() { - mode="fsp.enforced" - pkgdesc="$pkgdesc (FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server() { - mode="server" - pkgdesc="$pkgdesc (server complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.enforced() { - mode="server.enforced" - pkgdesc="$pkgdesc (server enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp() { - mode="server.fsp" - pkgdesc="$pkgdesc (server FSP complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp.enforced() { - mode="server.fsp.enforced" - pkgdesc="$pkgdesc (server FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode +package() { + cd "$srcdir/$pkgname" + just destdir="$pkgdir" install } diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index a92058206..9330d2223 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -5,10 +5,10 @@ abi , # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), - unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), - unix type=stream addr=@/tmp/.ICE-unix/@{int}, - unix type=stream addr=@/tmp/.X11-unix/X@{int}, + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions @@ -16,13 +16,13 @@ /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/@{int} rw, + /tmp/.ICE-unix/* rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/X@{int} rw, + /tmp/.X11-unix/* rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility deleted file mode 100644 index 894ee467e..000000000 --- a/apparmor.d/abstractions/accessibility +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) - - abi , - - include - include - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dcb29fecb..8f991c230 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,11 +2,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: domain -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -25,32 +20,32 @@ abi , include - include include include + include + include include + include + include + include + include include - include - include - include + include + include + include include include include - include - include + include include include include - include - include - include - include include include include - include include include + include network inet dgram, network inet6 dgram, @@ -108,6 +103,7 @@ /etc/@{name}/{,**} r, /etc/fstab r, + /etc/{,opensc/}opensc.conf r, / r, owner @{HOME}/ r, @@ -155,7 +151,9 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/**/report_descriptor r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -180,6 +178,7 @@ owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, + /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 0648e68d1..238bf9e8b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,10 +2,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -22,6 +18,7 @@ include include include + include include include include @@ -30,13 +27,11 @@ include include include - include include include include include include - include include include include @@ -80,6 +75,7 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, + /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, @@ -164,6 +160,7 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, + /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 8dffc39b9..243d18261 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,8 +7,6 @@ abi , - include - include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -31,6 +29,9 @@ # if @{DE} == kde include + include + include + include include include diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index f563712ca..0ec14bea0 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,7 +19,6 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 8741942ff..29c685f55 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,7 +8,7 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 1ebdf4c76..826191309 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -57,18 +57,12 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/+sound:card@{int} r, # For sound card - - @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, /dev/snd/controlC@{int} r, - /dev/snd/pcmC@{int}D@{int}[cp] r, - /dev/snd/timer r, include if exists diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index a7f89b91b..10bcef426 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,6 +9,11 @@ include + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{sys}/class/ r, + @{sys}/class/sound/ r, + @{PROC}/asound/** rw, /dev/admmidi* rw, diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe deleted file mode 100644 index aac14fa7d..000000000 --- a/apparmor.d/abstractions/avahi-observe +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2016 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows domain, record, service, and service type browsing as well as address, -# host and service resolving - - abi , - - include - - include - include - include - include - include - include - include - - @{run}/avahi-daemon/socket rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index d89688b70..ad3945eb9 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,20 +8,20 @@ signal receive peer=@{p_systemd_user}, # Allow to receive some signals from new well-known profiles - signal receive peer=btop, - signal receive peer=htop, - signal receive peer=pkill, - signal receive peer=sudo, - signal receive peer=top, - signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, - signal receive set=(hup term) peer=login, - signal receive set=(hup) peer=xinit, - signal receive set=(term,kill) peer=gnome-shell, - signal receive set=(term,kill) peer=gnome-system-monitor, - signal receive set=(term,kill) peer=openbox, - signal receive set=(term,kill) peer=su, + signal (receive) peer=btop, + signal (receive) peer=htop, + signal (receive) peer=pkill, + signal (receive) peer=sudo, + signal (receive) peer=top, + signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, + signal (receive) set=(hup term) peer=login, + signal (receive) set=(hup) peer=xinit, + signal (receive) set=(term,kill) peer=gnome-shell, + signal (receive) set=(term,kill) peer=gnome-system-monitor, + signal (receive) set=(term,kill) peer=openbox, + signal (receive) set=(term,kill) peer=su, - ptrace readby peer=@{p_systemd_coredump}, + ptrace (readby) peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,6 +30,4 @@ @{PROC}/sys/kernel/core_pattern r, - /apparmor/.null rw, - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y deleted file mode 100644 index 0145fc494..000000000 --- a/apparmor.d/abstractions/bus/accessibility/org.a11y +++ /dev/null @@ -1,65 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Allow the accessibility services in the user session to send us any events - - dbus receive bus=accessibility - peer=(label="@{p_at_spi2_registryd}"), - - # Allow querying for capabilities and registering - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member=NotifyListenersSync - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - # org.a11y.atspi is not designed for application isolation and these rules - # can be used to send change events for other processes. - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Event.Object - member=ChildrenChanged - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Accessible - member=Get* - peer=(label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} - interface=org.a11y.atspi.Event.Object - member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/cache - interface=org.a11y.atspi.Cache - member={AddAccessible,RemoveAccessible} - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y new file mode 100644 index 000000000..c99f5f8bd --- /dev/null +++ b/apparmor.d/abstractions/bus/org.a11y @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Accessibility bus + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + # Session bus + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez b/apparmor.d/abstractions/bus/org.bluez similarity index 96% rename from apparmor.d/abstractions/bus/system/org.bluez rename to apparmor.d/abstractions/bus/org.bluez index acaa7bb36..461ad9f94 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -36,6 +36,6 @@ member=RegisterApplication peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager similarity index 67% rename from apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager rename to apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 4b5dcc746..e23092429 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -15,19 +15,19 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member={CreateProfile,CreateDevice,DeleteDevice} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + member=CreateDevice + peer=(name="@{busname}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + peer=(name="@{busname}", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member={FindDeviceByProperty,FindDeviceById} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + member=FindDeviceByProperty + peer=(name="@{busname}", label="@{p_colord}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications new file mode 100644 index 000000000..6962bf7ec --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member={GetCapabilities,GetServerInformation,Notify} + peer=(name="@{busname}", label=gjs-console), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member={NotificationClosed,CloseNotification} + peer=(name="@{busname}", label=gjs-console), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=Notify + peer=(name=org.freedesktop.DBus, label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index a4f9ba9b9..f6cde2030 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,9 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow communication with PackageKit transactions. Transactions are exported -# with random object paths that currently take the form /@{int}_@{hex8}. - abi , #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd @@ -19,14 +16,6 @@ member=StateHasChanged peer=(name=org.freedesktop.PackageKit), - dbus send bus=system path=/@{int}_@{hex8} - interface=org.freedesktop.PackageKit.Transaction - peer=(label=packagekitd), - - dbus receive bus=system path=/@{int}_@{hex8} - interface=org.freedesktop.PackageKit.Transaction - peer=(label=packagekitd), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 2a4e8c1e5..9dfab7481 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,8 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Can talk to polkitd's CheckAuthorization API - abi , #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -15,13 +13,17 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member={CheckAuthorization,CancelCheckAuthorization} - peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgentWithOptions - peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), + member=CheckAuthorization + peer=(name="@{busname}", label="@{p_polkitd}"), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver similarity index 51% rename from apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver rename to apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 27c456637..f73768e9f 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -2,20 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow checking status, activating and locking the screensaver (GNOME version) - abi , - dbus send bus=session path=/{,org/gnome/}ScreenSaver - interface=org.gnome.ScreenSaver - member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label=gjs-console), + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} peer=(name=@{busname}, label=gjs-console), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower similarity index 94% rename from apparmor.d/abstractions/bus/system/org.freedesktop.UPower rename to apparmor.d/abstractions/bus/org.freedesktop.UPower index aa6a61371..64b400a3e 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -29,6 +29,6 @@ member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 similarity index 70% rename from apparmor.d/abstractions/bus/system/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/org.freedesktop.locale1 index e2377a14b..1348c8a39 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,11 +4,12 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 new file mode 100644 index 000000000..fe6d52dc6 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} + peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 similarity index 86% rename from apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index f69667e08..6bfa6114b 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -11,6 +11,6 @@ member=GetSupportedTypes peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager similarity index 73% rename from apparmor.d/abstractions/bus/system/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/org.gnome.DisplayManager index 4833b1512..741631f4b 100644 --- a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,6 @@ member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 similarity index 76% rename from apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 rename to apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 index 8a3e7d74e..178139a8d 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -6,6 +6,6 @@ #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver new file mode 100644 index 000000000..46d1a1006 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name="@{busname}", label=gjs-console), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name="@{busname}", label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager similarity index 61% rename from apparmor.d/abstractions/bus/session/org.gnome.SessionManager rename to apparmor.d/abstractions/bus/org.gnome.SessionManager index 4c641776b..a532b67f2 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -1,46 +1,48 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# FIXME: Too large, restrict it. + abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name="@{busname}", label=gnome-session-binary), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name="@{busname}", label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name="@{busname}", label=gnome-session-binary), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name="@{busname}", label=gnome-session-binary), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter deleted file mode 100644 index 0816b046f..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow accessing the GNOME crypto services prompt APIs as used by -# applications using libgcr (such as pinentry-gnome3) for secure pin -# entry to unlock GPG keys etc. See: -# https://developer.gnome.org/gcr/unstable/GcrPrompt.html -# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html -# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 - - abi , - - unix type=stream peer=(label=gnome-keyring-daemon), - - dbus send bus=session path=/org/gnome/keyring/Prompter - interface=org.gnome.keyring.internal.Prompter - member={BeginPrompting,PerformPrompt,StopPrompting} - peer=(name=@{busname}, label=pinentry-*), - - dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} - interface=org.gnome.keyring.internal.Prompter.Callback - member={PromptReady,PromptDone} - peer=(name=@{busname}, label=pinentry-*), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications similarity index 86% rename from apparmor.d/abstractions/bus/session/org.gtk.Notifications rename to apparmor.d/abstractions/bus/org.gtk.Notifications index 151c642a8..ad1a1ffad 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -11,6 +11,6 @@ member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index b8160dcb2..9060c8c15 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon similarity index 72% rename from apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon rename to apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index edf954ac5..93ad35fe5 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -1,9 +1,7 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Each daemon (main and for mounts) implement this. - abi , dbus send bus=session path=/org/gtk/vfs/Daemon @@ -16,6 +14,6 @@ member=GetConnection peer=(name=@{busname}), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata similarity index 80% rename from apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata rename to apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index 9f1a77daf..ce6e60082 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -13,13 +13,13 @@ dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,Move,GetTreeFromDevice,Remove} - peer=(name=@{busname}, label=gvfsd-metadata), + peer=(name="@{busname}", label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name=@{busname}, label=gvfsd-metadata), + peer=(name="@{busname}", label=gvfsd-metadata), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker similarity index 89% rename from apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 107c3dc13..c455d4f18 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -2,10 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# The mount tracking interface. - abi , + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=LookupMount @@ -16,16 +19,11 @@ member=ListMounts2 peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), - dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem similarity index 79% rename from apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem rename to apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index d017d44e3..87fd06727 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -23,6 +23,11 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - include if exists + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/session/org.kde.kwalletd rename to apparmor.d/abstractions/bus/org.kde.kwalletd index 0afce1cdf..1ae5a1ace 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player similarity index 89% rename from apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player rename to apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player index b2b934074..d71b7ac1e 100644 --- a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +33,6 @@ member=Seeked peer=(name=org.freedesktop.DBus), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher deleted file mode 100644 index ca2bf92c8..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow use of snapd's internal xdg-open - - abi , - - dbus send bus=session path=/ - interface=com.canonical.SafeLauncher - member=OpenURL - peer=(name=@{busname}, label=snap), - - dbus send bus=session path=/io/snapcraft/Launcher - interface=io.snapcraft.Launcher - member={OpenURL,OpenFile} - peer=(name=@{busname}, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher deleted file mode 100644 index 704d9010d..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can identify and launch other snaps. - - abi , - - dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher - interface=io.snapcraft.PrivilegedDesktopLauncher - member=OpenDesktopEntry - peer=(name=io.snapcraft.Launcher, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings deleted file mode 100644 index c50753cd6..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow use of snapd's internal 'xdg-settings' - - abi , - - dbus send bus=session path=/io/snapcraft/Settings - interface=io.snapcraft.Settings - member={Check,CheckSub,Get,GetSub,Set,SetSub} - peer=(name=io.snapcraft.Settings, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y deleted file mode 100644 index 8f517fe99..000000000 --- a/apparmor.d/abstractions/bus/session/org.a11y +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal deleted file mode 100644 index e7c0f9cef..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow access to the IBus portal - - abi , - - dbus send bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.IBus.Portal - member=CreateInputContext - peer=(name=org.freedesktop.portal.IBus), - - dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} - interface=org.freedesktop.IBus.InputContext - peer=(label=ibus-daemon), - - dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} - interface=org.freedesktop.IBus.InputContext - peer=(label=ibus-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications deleted file mode 100644 index b51c4bdcb..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - member={GetCapabilities,GetServerInformation,Notify,CloseNotification} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - member={ActionInvoked,NotificationClosed,NotificationReplied} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver deleted file mode 100644 index ee837b886..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver - - abi , - - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), - - dbus send bus=session path=/{,org/freedesktop/}ScreenSaver - interface=org.freedesktop.ScreenSaver - member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), - - dbus receive bus=session path=/org/freedesktop/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret deleted file mode 100644 index 8ded1b6d7..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Provide full access to the secret-service API: -# - https://standards.freedesktop.org/secret-service/) -# -# The secret-service allows managing (add/delete/lock/etc) collections and -# (add/delete/etc) items within collections. The API also has the concept of -# aliases for collections which is typically used to access the default -# collection. While it would be possible for an application developer to use a -# snap-specific collection and mediate by object path, application developers -# are meant to instead to treat collections (typically the default collection) -# as a database of key/value attributes each with an associated secret that -# applications may query. Because AppArmor does not mediate member data, -# typical and recommended usage of the API does not allow for application -# isolation. For details, see: -# - https://standards.freedesktop.org/secret-service/ch03.html -# - - abi , - - #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon - - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - - dbus receive bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member=ReadAlias - peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member=SearchItems - peer=(name=@{busname}, label=gnome-keyring-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings deleted file mode 100644 index 01cf21c46..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=Read - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=ReadAll - peer=(name=@{busname}, label=xdg-desktop-portal), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys deleted file mode 100644 index 93d830828..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow requesting interest in receiving media key events. This tells Gnome -# settings that our application should be notified when key events we are -# interested in are pressed, and allows us to receive those events. - - abi , - - # DBus.Properties: read all properties from the interface - dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - - dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys - interface=org.gnome.SettingsDaemon.MediaKeys - peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions deleted file mode 100644 index 899f244a8..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState}, - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus deleted file mode 100644 index b21c08067..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Menus +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session - interface=org.gtk.Menus - member={Start,End} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Menus - member=Changed, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler deleted file mode 100644 index 3fce0d719..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/MountOperationHandler - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings deleted file mode 100644 index 9d2dd282a..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Settings +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation deleted file mode 100644 index 54dfc837f..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} - interface=org.gtk.vfs.MountOperation - member={AskPassword,AskQuestion} - peer=(name=@{busname}, label=gvfsd-*), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable deleted file mode 100644 index 603ef709b..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=@{busname}, label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner deleted file mode 100644 index 7090afe24..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=@{busname}, label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver deleted file mode 100644 index f6a1a251c..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Address resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=AddressResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser deleted file mode 100644 index 39f5e4496..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Domain browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=DomainBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/DomainBrowser@{int} - interface=org.freedesktop.Avahi.DomainBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} - interface=org.freedesktop.Avahi.DomainBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver deleted file mode 100644 index 403a4db0f..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Hostname resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=HostNameResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/HostNameResolver@{int} - interface=org.freedesktop.Avahi.HostNameResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} - interface=org.freedesktop.Avahi.HostNameResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser deleted file mode 100644 index bff079b13..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Record browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server deleted file mode 100644 index bfc87b3cc..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - # Allow service introspection - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - # Allow accessing DBus properties and resolving - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={Get*,Resolve*,IsNSSSupportAvailable} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - # Allow receiving anything from the Avahi server - dbus receive bus=system - interface=org.freedesktop.Avahi.Server - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser deleted file mode 100644 index 6a3b1510d..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver deleted file mode 100644 index d90e9ca14..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Service resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser deleted file mode 100644 index 93affdc51..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Service type browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceTypeBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera deleted file mode 100644 index 0f5cff363..000000000 --- a/apparmor.d/abstractions/camera +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to all cameras - - abi , - - # Allow detection of cameras. Leaks plugged in USB device info - @{sys}/bus/usb/devices/ r, - @{sys}/devices/@{pci}/usb@{int}/**/busnum r, - @{sys}/devices/@{pci}/usb@{int}/**/devnum r, - @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, - @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, - @{sys}/devices/@{pci}/usb@{int}/**/interface r, - @{sys}/devices/@{pci}/usb@{int}/**/modalias r, - @{sys}/devices/@{pci}/usb@{int}/**/speed r, - - @{sys}/class/video4linux/ r, - @{sys}/devices/**/video4linux/** r, - @{sys}/devices/**/video4linux/video@{int}/ r, - @{sys}/devices/**/video4linux/video@{int}/uevent r, - - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c81:@{int} r, # For video4linux - - # VideoCore cameras (shared device with VideoCore/EGL) - /dev/vchiq rw, - - # Access to video /dev devices - /dev/video@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 28badc6db..5072cadfd 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,7 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. @@ -13,35 +12,31 @@ abi , include - include + include include include - include + include include include include - include include include include include include include - include include - include include include - include - include include include + include dbus bus=accessibility, dbus bus=session, dbus bus=system, - /usr/** rk, + /usr/** r, /usr/share/** rk, /etc/{,**} r, @@ -72,10 +67,13 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @@ -85,7 +83,6 @@ @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, - @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -97,13 +94,11 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, - @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, @@ -147,6 +142,9 @@ @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/common/apt similarity index 72% rename from apparmor.d/abstractions/apt rename to apparmor.d/abstractions/common/apt index 25106ad6e..5dd8b26bc 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/common/apt @@ -6,9 +6,7 @@ abi , /usr/share/dpkg/cputable r, - /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, - /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, @@ -20,9 +18,6 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, - /etc/apt/trusted.gpg r, - /etc/apt/trusted.gpg.d/{,*} r, - /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -30,14 +25,11 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu + /var/lib/ubuntu-advantage/apt-esm/{,**} r, owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 2d3ab179f..da73b8217 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,7 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 23f4544a3..78441fe08 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,7 +2,6 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/app/chromium instead. @@ -17,14 +16,9 @@ userns, - # Required for dropping into PID namespace. Keep in mind that until the - # process drops this capability it can escape confinement, but once it - # drops CAP_SYS_ADMIN we are ok. - capability sys_admin, - - # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 + capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -38,22 +32,20 @@ owner @{tmp}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, - owner @{tmp}/scoped_dir@{rand6}/SS rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, /dev/shm/ r, owner /dev/shm/.@{domain}.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - # Allow getting the manufacturer and model of the computer where chromium is currently running. @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index dd4976f5e..b581c9073 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,11 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: domain -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set @@ -20,7 +15,6 @@ abi , - include include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 2198c8537..6b97b014c 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -17,10 +17,8 @@ include include include - include include include - include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -68,6 +66,9 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -78,6 +79,7 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, @@ -106,7 +108,11 @@ /dev/ r, /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/js@{int} rw, /dev/tty rw, + /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 6dcb26860..056f6581b 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,8 +6,9 @@ abi , + include include - include + include include include include diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 851588220..b60e74a10 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,9 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: app_dirs -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: share_dirs abi , diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index c4abbd574..4a32a1aa7 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,17 +9,14 @@ abi , - include include include - include - include + include + include include include include include - include - include include include include diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f deleted file mode 100644 index c707d66e0..000000000 --- a/apparmor.d/abstractions/devices-u2f +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to Universal 2nd Factor (U2F) devices - - abi , - - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) - - # Needed for dynamic assignment of U2F devices - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/**/i2c*/**/report_descriptor r, - @{sys}/devices/**/usb@{int}/**/report_descriptor r, - - # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed - /dev/hidraw@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 3361f10ec..85f8f6b92 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,22 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow raw access to all connected USB devices - abi , include - @{PROC}/tty/drivers r, + /dev/bus/usb/@{int}/@{int} wk, - /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, - - # Allow access to all ttyUSB devices too - /dev/ttyACM@{int} wk, - /dev/ttyUSB@{int} wk, - - # Allow raw access to USB printers (i.e. for receipt printers in POS systems). - /dev/usb/lp@{int} wk, + @{sys}/devices/**/usb@{int}/{,**} w, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index ea3131d59..836a5f3c7 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -3,29 +3,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow detection of usb devices. Leaks plugged in USB device info - abi , + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{int}/@{int} r, + @{sys}/class/ r, @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/devices/**/usb@{int}/ r, - @{sys}/devices/**/usb@{int}/** r, + @{sys}/bus/usb/devices/{,**} r, + + @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/b180:@{int} r, # USB block devices - @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems - @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices - - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 128da00d0..dd8f7b55a 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,11 +28,8 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, - # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, - - # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index 8536470bd..aa6e14416 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -22,15 +22,9 @@ @{PROC}/stat r, # Glibc's *printf protections read the maps file - owner @{PROC}/@{pid}/auxv r, - owner @{PROC}/@{pid}/maps r, - owner @{PROC}/@{pid}/status r, - - # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, - # but in a format that is simpler to manage, because it doesn't require to - # parse the text data inside a file, but just reading the contents of - # a directory. - owner @{PROC}/@{pid}/map_files/ r, + @{PROC}/@{pid}/auxv r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, # Glibc statvfs @{PROC}/filesystems r, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 227377f3a..445c62e6b 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,17 +4,14 @@ abi , - include include include - include - include + include + include include include include include - include - include include include include diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3d4b47f9f..3dece8578 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index c4edd09b4..79872ceb4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,22 +13,14 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, - @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + @{sys}/devices/system/cpu/cpu@{int}/topology/* r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, @{sys}/devices/system/cpu/present r, - @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/system/node/node@{int}/cpumap r, include if exists diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index de5f865b5..1e2c97224 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,7 +8,13 @@ include include + @{sys}/devices/@{pci}/numa_node r, + + @{PROC}/devices r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/gschemas b/apparmor.d/abstractions/gsettings similarity index 88% rename from apparmor.d/abstractions/gschemas rename to apparmor.d/abstractions/gsettings index 21a4d860c..4d22f080b 100644 --- a/apparmor.d/abstractions/gschemas +++ b/apparmor.d/abstractions/gsettings @@ -9,6 +9,6 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict deleted file mode 100644 index 0bf0ab41c..000000000 --- a/apparmor.d/abstractions/gtk-strict +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - include - include - include - - @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, - @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, - @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, - - /usr/share/gtksourceview-2.0/{,**} r, - /usr/share/gtksourceview-3.0/{,**} r, - /usr/share/gtksourceview-4/{,**} r, - /usr/share/gtksourceview-5/{,**} r, - - /usr/share/gtk-2.0/ r, - /usr/share/gtk-2.0/gtkrc r, - - /usr/share/gtk-3.0/ r, - /usr/share/gtk-3.0/settings.ini r, - - /usr/share/gtk-4.0/ r, - /usr/share/gtk-4.0/settings.ini r, - - /etc/gtk/gtkrc r, - - /etc/gtk-2.0/ r, - /etc/gtk-2.0/gtkrc r, - - /etc/gtk-3.0/ r, - /etc/gtk-3.0/*.conf r, - /etc/gtk-3.0/settings.ini r, - - /etc/gtk-4.0/ r, - /etc/gtk-4.0/*.conf r, - /etc/gtk-4.0/settings.ini r, - - owner @{HOME}/.gtk r, - owner @{HOME}/.gtkrc r, - owner @{HOME}/.gtkrc-2.0 r, - owner @{HOME}/.gtk-bookmarks r, - - owner @{user_cache_dirs}/gtk-4.0/ rw, - owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, - owner @{user_cache_dirs}/gtkrc r, - owner @{user_cache_dirs}/gtkrc-2.0 r, - - owner @{user_config_dirs}/gtk-2.0/ rw, - owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, - - owner @{user_config_dirs}/gtk-3.0/ rw, - owner @{user_config_dirs}/gtk-3.0/bookmarks r, - owner @{user_config_dirs}/gtk-3.0/colors.css r, - owner @{user_config_dirs}/gtk-3.0/gtk.css r, - owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_config_dirs}/gtk-3.0/settings.ini r, - owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, - - owner @{user_config_dirs}/gtk-4.0/ rw, - owner @{user_config_dirs}/gtk-4.0/bookmarks r, - owner @{user_config_dirs}/gtk-4.0/colors.css r, - owner @{user_config_dirs}/gtk-4.0/gtk.css r, - owner @{user_config_dirs}/gtk-4.0/servers r, - owner @{user_config_dirs}/gtk-4.0/settings.ini r, - owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 0b69d8ee1..99cf70d97 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,9 +2,23 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include - include - include + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input deleted file mode 100644 index 57905fd0c..000000000 --- a/apparmor.d/abstractions/input +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Canonical Ltd -# Copyright (C) 2022-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow reading and writing to raw input devices - - abi , - - # network netlink raw, - - # Allow reading for supported event reports for all input devices. See - # https://www.kernel.org/doc/Documentation/input/event-codes.txt - @{sys}/devices/**/input@{int}/capabilities/* r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/mice rw, - /dev/input/mouse@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 79e97b23f..5fbdd7869 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,17 +4,14 @@ abi , - include include include - include - include + include + include include include include include - include - include include include include @@ -48,7 +45,7 @@ owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_* rwlk, + owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 913ab3eb3..f20c24a32 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,13 +4,11 @@ abi , - include - include include + include include - include + include include - include include include include diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control deleted file mode 100644 index 1cdcf66f2..000000000 --- a/apparmor.d/abstractions/media-control +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to media controller such as microphones, and video capture hardware. -# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst - - abi , - - # Control of media devices - /dev/media@{int} rwk, - - # Access to V4L subnodes configuration - # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html - /dev/v4l-subdev@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys deleted file mode 100644 index d9aafa764..000000000 --- a/apparmor.d/abstractions/mediakeys +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow requesting interest in receiving media key events. This tells Gnome -# settings that our application should be notified when key events we are -# interested in are pressed, and allows us to receive those events. - - abi , - - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris deleted file mode 100644 index f06c8560e..000000000 --- a/apparmor.d/abstractions/mpris +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow operating as an MPRIS player. - - abi , - - include - - # Allow binding to the well-known DBus mpris interface based on the app's name - # See: https://specifications.freedesktop.org/mpris-spec/latest/ - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications deleted file mode 100644 index 81d5cc94c..000000000 --- a/apparmor.d/abstractions/notifications +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a14691a9c..c3aa8e805 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,7 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, /usr/share/nvidia/nvidia-application-profiles-* r, @@ -24,34 +24,20 @@ owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, - @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, - + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{u8} w, # Nvidia graphics devices - - # Nvidia proprietary modset driver + /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset rw, - - # Nvidia graphics devices /dev/nvidia@{int} rw, - - # Nvidia's Unified Memory driver - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, - - # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index e00385efd..ef9d0c40d 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{u8} rw, # Nvidia graphics devices + /dev/char/195:@{int} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd deleted file mode 100644 index 33a981279..000000000 --- a/apparmor.d/abstractions/pcscd +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows interacting with PC/SC Smart Card Daemon - - abi , - - # Configuration file for OPENSC - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, - - # Socket for communication between PCSCD and PS/SC API library - @{run}/pcscd/pcscd.comm rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used index 66a80867b..d3a7ec289 100644 --- a/apparmor.d/abstractions/recently-used +++ b/apparmor.d/abstractions/recently-used @@ -14,6 +14,8 @@ owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, owner @{user_share_dirs}/recently-used.xbel.lock rwk, + owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver deleted file mode 100644 index 1a9369091..000000000 --- a/apparmor.d/abstractions/screensaver +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver - - abi , - - include if exists - include if exists - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service deleted file mode 100644 index 083672cc9..000000000 --- a/apparmor.d/abstractions/secrets-service +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Provide full access to the secret-service API: -# - https://standards.freedesktop.org/secret-service/) -# -# The secret-service allows managing (add/delete/lock/etc) collections and -# (add/delete/etc) items within collections. The API also has the concept of -# aliases for collections which is typically used to access the default -# collection. While it would be possible for an application developer to use a -# snap-specific collection and mediate by object path, application developers -# are meant to instead to treat collections (typically the default collection) -# as a database of key/value attributes each with an associated secret that -# applications may query. Because AppArmor does not mediate member data, -# typical and recommended usage of the API does not allow for application -# isolation. For details, see: -# - https://standards.freedesktop.org/secret-service/ch03.html -# - - abi , - - include - include - - dbus send bus=session path=/org/gnome/keyring/daemon - interface=org.gnome.keyring.Daemon - member=GetEnvironment - peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes deleted file mode 100644 index 13fe70bc6..000000000 --- a/apparmor.d/abstractions/themes +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /usr/share/themes/{,**} r, - - owner @{HOME}/.themes/{,**} r, - owner @{user_share_dirs}/themes/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm deleted file mode 100644 index ef7b30a2b..000000000 --- a/apparmor.d/abstractions/tpm +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2016-2017 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM -# resource manager /dev/tpmrm@{int} - - abi , - - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput deleted file mode 100644 index b97d1eb8a..000000000 --- a/apparmor.d/abstractions/uinput +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow write access to the uinput device for emulating input devices from -# userspace for sending input events. - - abi , - - /dev/uinput rw, - /dev/input/uinput rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe deleted file mode 100644 index 67478bb6d..000000000 --- a/apparmor.d/abstractions/upower-observe +++ /dev/null @@ -1,13 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can query UPower for power devices, history and statistics. - - abi , - - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs deleted file mode 100644 index 189f8eb38..000000000 --- a/apparmor.d/abstractions/user-dirs +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - - owner @{user_config_dirs}/user-dirs.dirs r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 145cd763a..28d15cf76 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,9 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{att}/@{tmp}/.wine-@{uid}/ rw, - owner @{att}/@{tmp}/.wine-@{uid}/** rwk, - owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/** rwk, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index df13363fc..3046c8f6d 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,11 +4,9 @@ abi , - include include include - include - include + include include include include diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index ccdbf338b..13864f2dd 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -195,26 +195,25 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{sys}/firmware/efi/efivars/** w, @{sys}/fs/cgroup/{,**} w, - @{PROC}/@{pids}/attr/apparmor/exec w, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/gid_map w, - @{PROC}/@{pids}/limits r, - @{PROC}/@{pids}/loginuid rw, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/oom_score_adj rw, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/setgroups r, - @{PROC}/@{pids}/setgroups w, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, - @{PROC}/@{pids}/uid_map r, - @{PROC}/@{pids}/uid_map w, + @{PROC}/@{pid}/attr/apparmor/exec w, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map w, + @{PROC}/@{pid}/limits r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/setgroups w, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/uid_map w, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/irq/@{int}/node r, diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index 1f8368045..1743fd9d0 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 07706d052..7cb64af80 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -45,7 +45,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 7308a5ef0..68729b7fe 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index a5769931c..0a9f9fcaf 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? + deny /apparmor/.null rw, include if exists } diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 8581fe724..9bdabb1c2 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -147,7 +147,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, - /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -191,7 +190,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/bunzip2 rix, @{bin}/chmod rix, - @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -199,7 +197,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/* r, + /etc/dpkg/origins/debian r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index afd34f7e5..1251fe449 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 0ce146261..a99b964c7 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 834bcbd8c..505a4b037 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 6fbfad65b..beb563f31 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include - include include + include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 6551f21a7..bc140acd1 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 3eec09d60..2fbb5d95b 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 18b6d7241..5a2d7dd55 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, @@ -25,8 +25,6 @@ profile apt-helper @{exec_path} { capability net_admin, - ptrace read peer=@{p_systemd}, - include if exists } diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index c174267f5..4af469c30 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 77a418b07..61be160dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -74,8 +74,6 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, - @{run}/systemd/resolve/io.systemd.Resolve rw, - @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 7f59635eb..4ba9e57d7 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,6 +30,7 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, + owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 514b952ff..16dc584b3 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include + include include include diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index b3f411c84..9254be27d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include - include include include + include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 6d09e34c0..b42649d7c 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,7 +12,7 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 824d3b4dd..d2e9e9260 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -15,8 +15,6 @@ profile deb-systemd-invoke @{exec_path} { capability net_admin, capability sys_resource, - ptrace read peer=@{p_systemd}, - signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 0a7706fe1..4660755d6 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -14,7 +14,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { include include include - include + include capability dac_read_search, @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # Debconf apps + # debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,8 +49,6 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, - /etc/libpaper.d/texlive-base rPUx, - /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 53e5964bd..3e3fd2ab9 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include - include include + include include #capability sys_tty_config, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 986c6f188..2c1ac1ce5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,9 +18,6 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, - capability sys_ptrace, - - ptrace read peer=apt, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 1a4055f77..467d0d50e 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -14,13 +14,10 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { @{exec_path} r, - /usr/share/lto-disabled-list/lto-disabled-list r, + /etc/dpkg/origins/debian r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, - /usr/share/dpkg/abitable r, - - /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 297a45f84..6f54d3967 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,22 +10,17 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include - include include @{exec_path} r, - @{bin}/dpkg rPx, - @{bin}/@{multiarch}gcc-@{int} mrix, - - /usr/share/dpkg/ostable r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - /etc/dpkg/origins/* r, + /etc/dpkg/origins/debian r, /var/lib/dpkg/status r, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup index 8e99e70c5..d83bdbb45 100644 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/dpkg/dpkg-db-backup profile dpkg-db-backup @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index aa9232c73..dfb881e32 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -21,8 +21,8 @@ profile dpkg-maintscript-helper @{exec_path} { profile dpkg { include - include include + include capability dac_read_search, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor new file mode 100644 index 000000000..38a068ac0 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/apparmor* +profile dpkg-script-apparmor @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mrix, + + @{bin}/{,e}grep ix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-divert ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/apparmor_parser Px, + + /usr/share/apparmor.d/** rw, + + /etc/apparmor.d/** rw, + + /var/lib/dpkg/diversions rw, + /var/lib/dpkg/diversions-new rw, + /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/format r, + /var/lib/dpkg/status r, + /var/lib/dpkg/triggers/File r, + /var/lib/dpkg/triggers/Unincorp r, + /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + capability dac_override, + capability dac_read_search, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent rix, + + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, + + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/{,*} rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod new file mode 100644 index 000000000..f900bba17 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-kmod @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/kmod* +profile dpkg-script-kmod @{exec_path} { + include + + @{exec_path} mrix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux new file mode 100644 index 000000000..af578be50 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/linux* +profile dpkg-script-linux @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mrix, + + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/stty ix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/systemctl Cx -> systemctl, + + /usr/share/{update,reboot}-notifier/notify-reboot-required Px, + /etc/kernel/{,header_}postinst.d/* Px, + /etc/kernel/postrm.d/* Px, + /etc/kernel/preinst.d/* Px, + /etc/kernel/prerm.d/* Px, + + /etc/kernel/*.d/ r, + + @{lib}/linux/triggers/* w, + @{lib}/modules/*/.fresh-install w, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd new file mode 100644 index 000000000..6c76e6f70 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -0,0 +1,77 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/systemd* +profile dpkg-script-systemd @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mrix, + + @{coreutils_path} rix, + @{bin}/bootctl Px, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Cx -> dpkg, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/journalctl Px, + @{bin}/kernel-install mrPx, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-machine-id-setup Px, + @{bin}/systemd-sysusers Px, + @{bin}/systemd-tmpfiles Px, + @{lib}/systemd/systemd-sysctl Px, + @{sbin}/pam-auth-update Px, + + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + + /etc/pam.d/sed@{rand6} rw, + /etc/pam.d/common-password rw, + + @{efi}/ r, + + /var/lib/systemd/{,*} rw, + /var/log/journal/ rw, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 2434c9db9..7d2073768 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -63,10 +63,8 @@ profile dpkg-scripts @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* w, - @{sbin}/ r, - @{sbin}/* w, @{lib}/ r, - @{lib}/** wl -> @{lib}/**, + @{lib}/** w, /opt/*/** rw, #aa:lint ignore=too-wide @@ -78,11 +76,9 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, - /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, - /tmp/updateppds.@{rand6} rw, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @@ -117,10 +113,6 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - ptrace read peer=@{p_systemd}, - @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 87967d164..2a2063d8e 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include - include - include include + include + include + include include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a6584a23d..a814eaaa9 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index c48286299..36e299a0c 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d2da77bc3..d501a325f 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,11 +10,11 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include include include @@ -38,8 +38,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, - #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade - @{exec_path} mr, @{bin}/ r, @@ -72,7 +70,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, - /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, @@ -130,7 +127,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f7b94d68d..1fb667fae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,10 +9,10 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 6ea4f19fb..f829ab3ff 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include - include include + include include @{exec_path} r, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 805d54b2b..3ac729baa 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,10 +11,14 @@ include profile avahi-browse @{exec_path} { include include - include - include + include include + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member={ItemNew,AllForNow,CacheExhausted} + peer=(name=:*, label="@{p_avahi_daemon}"), + @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index d45cffca3..1a66b4726 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,11 +11,19 @@ include profile avahi-resolve @{exec_path} { include include - include - include - include + include include + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Free,HostNameResolverNew} + peer=(name=:*, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Failure,Found} + peer=(name=:*, label="@{p_avahi_daemon}"), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index 45df7ce93..dd9eaba6c 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken -# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,8 +9,6 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 08a553c1d..469fb24a0 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,6 +11,7 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 12c8e2e80..2800a4124 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,7 +12,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include - include # Needed for configuring HCI interfaces capability net_admin, @@ -58,6 +57,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, + /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3ea17a4e5..65ad4c0e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,11 +25,6 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 45a32868e..86b293e8d 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,7 +12,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -62,6 +61,8 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, + /dev/video@{int} rw, + include if exists } diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fec6d7897..26311b575 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -13,7 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c9b9a1538..f876d1210 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,13 +9,12 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include + include include include - include - include - include + include + include include - include include network inet dgram, @@ -40,7 +39,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mrix, @@ -54,6 +53,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 27e228e2c..cc6b33f61 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,10 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session + dbus receive bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), + member=Hello + peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 1b62a1086..4dec1d407 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,8 +36,8 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), + member=Hello + peer=(name=@{busname}), dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator @@ -77,12 +77,11 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/oom_score_adj r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/oom_score_adj r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -92,7 +91,6 @@ profile dbus-system flags=(attach_disconnected) { @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, - @{att}/dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b326138d6..3fdab031b 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index bac225ebc..817d63175 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,7 +11,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 8bdc3c79c..e900fc3f5 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -11,7 +11,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 2fa49e50f..34d881a8a 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include + include include + include + include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index b1f1445b3..5233f8603 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,7 +10,7 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 6ea4891a7..53edb4b00 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,12 +15,11 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus - #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ce1c2b108..698eeedb6 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,7 +10,10 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include + include include + include + include include include include diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 8e991cee7..61191fe9d 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -41,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{u8} w, # Nvidia graphics devices + owner /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 4296f03af..7faf52185 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -18,8 +18,6 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { @{browsers_path} Px, @{file_explorers_path} Px, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, - include if exists include if exists } diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3acfc14fd..3756c1d03 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,7 +28,6 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, - /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -40,9 +39,7 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, - /tmp/anacron-@{rand6} rw, - /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index 877200660..1009a0ef2 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 21da6bf93..6f658b064 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,7 +25,7 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs{,.bin} rix, + @{bin}/gs rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index ca1dc9630..a7773a57f 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -7,19 +7,18 @@ abi , include @{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} flags=(attach_disconnected) { +profile cups-browsed @{exec_path} { include include + include include - include - include - include include include include - capability net_admin, +# capability net_admin, capability net_bind_service, +# capability sys_nice, network inet dgram, network inet6 dgram, @@ -27,12 +26,20 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), + + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member={PrinterDeleted,PrinterStopped} + peer=(name=@{busname}, label=cups-notifier-dbus), @{exec_path} mr, @@ -42,15 +49,13 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { /etc/cups/{,**} r, + /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, - /var/cache/cups/{,**} rw, - owner /var/cache/cups-browsed/{,**} rw, - owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, + @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index ec0bbfd67..acae9b7a1 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -11,8 +11,8 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include @@ -46,6 +46,15 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=DeleteDevice + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceById + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + @{exec_path} mr, @{sh_path} rix, @@ -53,7 +62,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs{,.bin} rix, + @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index fe4347237..c2a944b11 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -10,7 +10,7 @@ include profile ippfind @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index df17e0d9f..d110fb83b 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,7 +10,6 @@ include profile xdm-xsession @{exec_path} { include include - include include include include @@ -59,6 +58,7 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index bd144b7e2..280bd9d04 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -21,9 +21,6 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/cgroup r, - - owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index fcb9d8b6c..aae80b87d 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,10 +11,8 @@ profile ufw-init @{exec_path} { include include - capability dac_override, capability dac_read_search, capability net_admin, - capability net_raw, network inet dgram, network inet raw, @@ -29,29 +27,12 @@ profile ufw-init @{exec_path} { @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, - @{bin}/kmod rCx -> kmod, /etc/default/ufw r, /etc/ufw/* r, - @{run}/xtables.lock rwk, - @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/kernel/modprobe r, - - profile kmod { - include - include - - capability sys_module, - - @{run}/xtables.lock r, - - @{sys}/module/compression r, - @{sys}/module/x_tables/initstate r, - - include if exists - } + # @{PROC}/sys/net/ipv{4,6}/** rw, profile sysctl { include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 341db555e..c540b9db8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,9 +9,12 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include + include include include - include + include + include + include include include include @@ -37,9 +40,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, - unix type=seqpacket peer=(label=flatpak-system-helper), - unix type=stream peer=(label=flatpak//fusermount), - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -47,16 +47,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), - - dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper - interface=org.freedesktop.Flatpak.SystemHelper - member=GetRevokefsFd - peer=(name=org.freedesktop.Flatpak.SystemHelper), - @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -164,9 +154,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, - unix type=seqpacket peer=(label=flatpak-system-helper), - unix type=stream peer=(label=flatpak), - mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e6be7ef4f..e8fe195fb 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -98,8 +98,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, - /dev/ntsync r, - include if exists include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 97f9f4911..b86f0a4fd 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,8 +11,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include - include - include include capability sys_ptrace, @@ -34,8 +32,11 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, + /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + owner /att/**/ r, owner @{att}/.flatpak-info r, @@ -43,6 +44,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 8a8f5afb7..162e3b448 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -21,11 +21,6 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0bd74bdcb..1381a1483 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,7 +11,6 @@ profile flatpak-system-helper @{exec_path} { include include include - include include include include @@ -28,13 +27,7 @@ profile flatpak-system-helper @{exec_path} { ptrace read, - unix type=seqpacket peer=(label=dbus-system), - unix type=seqpacket peer=(label=flatpak), - unix type=seqpacket peer=(label=flatpak//fusermount), - unix type=seqpacket peer=(label=unconfined), - #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, @@ -49,6 +42,7 @@ profile flatpak-system-helper @{exec_path} { /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, + /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, @@ -60,8 +54,7 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index c069b7afd..81d0c9f6b 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,11 +11,9 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include + include include - include - include include - include include network inet dgram, @@ -33,8 +31,11 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, + @{system_share_dirs}/mime/mime.cache r, + owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 04eeba521..6332f49e2 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,14 +9,12 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include + include include include + include include include - include - include - include - include include include include @@ -31,6 +29,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 04b08ecc4..02a370cdc 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,9 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include - include - include include + include capability sys_ptrace, @@ -67,6 +66,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 83ee32baa..af6f30e9c 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,9 +14,9 @@ profile pipewire-media-session @{exec_path} { include include include - include include include + include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index bb48d0c5b..f1ca0fd31 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -13,6 +13,7 @@ include profile polkit-gnome-authentication-agent @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0..5e7a75a8d 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,8 +11,10 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 206958062..05e4c3ec2 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,21 +14,17 @@ profile pulseaudio @{exec_path} { include include include + include + include include include - include - include - include - include - include include include - include include include + include include include - include include ptrace (trace) peer=@{profile_name}, @@ -51,11 +47,26 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=:*, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=ItemRemove + peer=(name=:*, label="@{p_avahi_daemon}"), + dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member={Found,Free} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, @@ -94,6 +105,7 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -101,6 +113,9 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, + /dev/media@{int} r, + /dev/video@{int} rw, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 83652914f..0f6f9abeb 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 201e49f3c..d58385831 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,7 +11,7 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 90eb46dc4..7aff8bdd2 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -12,14 +12,13 @@ profile wireplumber @{exec_path} { include include include + include include include - include - include + include include - include include - include + include network bluetooth raw, network bluetooth seqpacket, @@ -27,7 +26,6 @@ profile wireplumber @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} - #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -49,8 +47,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_state_dirs}/ w, - owner @{desktop_state_dirs}/wireplumber/{,**} rw, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -67,27 +65,27 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/1/cgroup r, - @{PROC}/1/status r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, /dev/udmabuf rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 031f03ac4..be66f7484 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,20 +9,18 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include - include include + include include include - include + include + include include include include network unix stream, - #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal - #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ec2cc86be..89acacd34 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,7 +52,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @@ -69,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} mrPx -> child-open, + @{open_path} rPx -> child-open, / r, @{att}/.flatpak-info r, @@ -102,7 +101,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, - @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 30b415204..ca5f62f82 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,12 +9,14 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include + include include include + include include include include - include + include include include include @@ -22,7 +24,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include include network unix stream, @@ -35,13 +36,17 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll @@ -80,8 +85,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b7906c5e2..c9585e2ab 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,21 +9,23 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include + include + include include include + include include include include - include + include + include include - include + include include include include include include - include - include include include @@ -32,12 +34,18 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal - dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 2fa8cc01f..62adb343b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index fd05bcee9..cb7edf822 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,14 +8,14 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} flags=(attach_disconnected) { +profile xdg-settings @{exec_path} { include include include @{exec_path} r, - @{sh_path} mr, + @{sh_path} r, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index feb1b9bd6..b2ae65450 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,16 +9,18 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include include + include include include - include @{exec_path} mr, @{bin}/xdg-user-dirs-update Px, owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, + owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{tmp}/dirs-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 09c66d6ac..7177703a9 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,11 +9,13 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include - include include @{exec_path} mr, + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index bfec4405c..c14af6d6e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -133,9 +133,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, - /dev/ r, /dev/fb@{int} rw, - @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index c0ddcb359..bc1291ef4 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include - include include capability dac_read_search, @@ -19,6 +18,10 @@ profile xsetroot @{exec_path} { @{exec_path} mr, + /usr/share/icons/{,**} r, + + owner @{HOME}/.icons/** r, + owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 944d5e1d5..8c6372ba5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,7 +10,6 @@ include profile chrome-gnome-shell @{exec_path} { include include - include include include include @@ -24,6 +23,8 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 59b3c5d40..ac5d6af81 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,13 +13,10 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include - include + include + include + include include - include - include - include network netlink raw, @@ -41,26 +38,17 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, - /usr/share/gvfs/remote-volume-monitors/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/tmp/ r, /tmp/ r, - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/mountinfo r, - include if exists } diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 1b9051a4a..c9a9d72c9 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,11 +11,10 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include - include + include include - include include include include @@ -27,9 +26,7 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -66,6 +63,7 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 501685b22..174cb323f 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 87cce8fbc..fba734ad4 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,10 +12,8 @@ profile evolution-calendar-factory @{exec_path} { include include include - include - include + include include - include include include include @@ -67,6 +65,8 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 0732646b5..a5a1bd414 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,12 +10,11 @@ include profile evolution-source-registry @{exec_path} { include include - include + include + include include - include include include - include include network inet stream, @@ -48,6 +47,8 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3f958cb7e..4c84fe822 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -17,7 +17,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, - capability fowner, capability fsetid, capability kill, capability net_admin, @@ -55,7 +54,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, - /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -68,17 +66,18 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - @{GDM_HOME}/ rw, - @{GDM_HOME}/** rw, + owner @{GDM_HOME}/block-initial-setup rw, - @{run}/gdm{,3}/ rw, - owner @{run}/gdm{,3}.pid rw, - owner @{run}/gdm{,3}/dbus/ rw, - owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, - - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, + @{run}/gdm{3,}/greeter/ rw, + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, + owner @{run}/gdm{3,}.pid rw, + owner @{run}/gdm{3,}/ rw, + owner @{run}/gdm{3,}/custom.conf r, + owner @{run}/gdm{3,}/dbus/ w, + owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + owner @{run}/gdm{3,}/gdm.pid rw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index c5e6d4cd5..9d910cdd2 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,11 +42,9 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, - @{PROC}/tty/drivers r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 5d2e3e21e..9a42bcdf1 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,15 +11,14 @@ profile gdm-session @{exec_path} { include include include + include include - include - signal receive set=(hup term) peer=gdm-session-worker, - signal receive set=(term) peer=gdm, - signal send set=(term) peer=dbus-session, - signal send set=(term) peer=gnome-session-binary, - signal send set=(term) peer=xorg, - signal send set=term peer=gnome-session, + signal (receive) set=(hup term) peer=gdm-session-worker, + signal (receive) set=(term) peer=gdm, + signal (send) set=(term) peer=dbus-session, + signal (send) set=(term) peer=gnome-session-binary, + signal (send) set=(term) peer=xorg, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 2882c3d9e..03e77816c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,7 +11,6 @@ profile gdm-xsession @{exec_path} { include include include - include include include @@ -52,6 +51,7 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 3652dd6e9..a3d285e94 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -19,7 +19,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include - include + include + include include include include @@ -32,8 +33,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, - @{lib}/*/** rPx, - @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs deleted file mode 100644 index de9d25a14..000000000 --- a/apparmor.d/groups/gnome/gjs +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. -# -# Therefore, by default, some extension are confined under this profile. To fix -# this, the various programs using gjs must never run gjs as module, they need -# to run it as executable with a specific script. -# -# This currently concerns: -# - gnome-extension-ding (used to not be started as a module) -# - org.gnome.ScreenSaver (simple dbus service) -# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) -# - org.gnome.Shell.Notifications (simple dbus service) -# - org.gnome.Shell.Screencast (simple dbus service) - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - # Only needed by org.gnome.Shell.Extensions - include - include - - # Only needed by gnome-extension-ding - include - include - include - include - include - include - include - include - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm, - - #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - - @{exec_path} mrix, - - # gnome-extension-ding - @{sh_path} rix, - @{bin}/env rix, - @{bin}/gnome-control-center rPx, - @{bin}/nautilus rPx, - - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, - /usr/share/thumbnailers/{,**} r, - - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/dri/ r, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - profile gstreamer { - include - include - include - include - include - - network (bind create getattr setopt getopt) netlink raw, - - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/gstreamer-1.0/gst-plugin-scanner mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console new file mode 100644 index 000000000..6d6d6ea85 --- /dev/null +++ b/apparmor.d/groups/gnome/gjs-console @@ -0,0 +1,108 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. Therefore, by default, some extension are +# confined under this profile. The resulting profile is quite broad. +# This architecture needs to be rethinked. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs-console @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell.Extensions + member=ListExtensions + peer=(name=:*, label=gnome-shell), + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/* PUx, + @{lib}/** PUx, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /etc/openni2/OpenNI.ini r, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/thumbnailers/{,**} r, + + /tmp/ r, + /var/tmp/ r, + + owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, + owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{HOME}/ r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/tty rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index cd46dd069..1447715b7 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,12 +13,10 @@ profile gnome-boxes @{exec_path} { include include include - include include include include include - include include include include @@ -82,6 +80,9 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, + /dev/media@{int} rw, + /dev/video@{int} rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, profile virsh { diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index e95762b6a..95af09ed6 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,7 +11,6 @@ profile gnome-browser-connector-host @{exec_path} { include include include - include @{exec_path} mr, @@ -20,6 +19,8 @@ profile gnome-browser-connector-host @{exec_path} { @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4ab9b165f..2e553d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,10 +7,9 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} flags=(attach_disconnected) { +profile gnome-calculator @{exec_path} { include include - include include # Needed to get currency exchange rates @@ -20,8 +19,6 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Calculator - @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 2173e3d62..7d6d5246d 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,6 +14,7 @@ profile gnome-calendar @{exec_path} { include include include + include include include include @@ -23,19 +24,20 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + + dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index b5ae5672a..7ce936e52 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -12,6 +12,7 @@ profile gnome-characters @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 92886c887..bdffedb72 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -12,6 +12,7 @@ profile gnome-clocks @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 9f78fb4fd..1c35a8ec1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,17 +10,18 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include + include + include include - include + include include include include include include - include include include include @@ -38,11 +39,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 - #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -51,7 +51,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" @@ -62,11 +61,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), - @{exec_path} mr, @{bin}/@{shells} rUx, @@ -94,6 +88,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, + /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, @@ -136,8 +131,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list w, - owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, @@ -197,6 +191,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, + /dev/media@{int} r, + /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 8b813d260..1fa7d7050 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index cbd1f1a75..59679deb8 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,7 +9,9 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 6d24e72c1..51c8f5107 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -11,6 +11,7 @@ profile gnome-control-center-search-provider @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index d9959691b..379a887b3 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,15 +9,10 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include - include - include include include include - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension deleted file mode 100644 index e13eca832..000000000 --- a/apparmor.d/groups/gnome/gnome-extension +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# gjs started from gnome-shell should (in theory) only run gnome extensions. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gnome-extension { - include - include - include - include - include - include - - @{exec_path} mr, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 9f848be8e..695be9f0d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,23 +9,26 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js +@{exec_path} = @{share_dirs}/{,app/}ding.js profile gnome-extension-ding @{exec_path} { include include + include include include include + include include - include - include - include - include - include + include + include + include + include + include + include + include include include include - include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), @@ -55,8 +58,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, + owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 2592eb77e..3f57b3035 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,20 +13,22 @@ include profile gnome-extension-gsconnect @{exec_path} { include include + include include include + include include include include include - include - include - include - include + include + include + include + include + include include include include - include include include include @@ -73,7 +75,6 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7439e0fb6..40b8bc9b5 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,10 +9,13 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include + include include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index e39ef0dc0..6752f54d4 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -15,19 +15,16 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include capability ipc_lock, - signal receive set=(term) peer=gdm, - signal send set=(term) peer=ssh-agent, - - unix type=stream peer=(label=snap.*), + signal (receive) set=(term) peer=gdm, + signal (send) set=(term) peer=ssh-agent, #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 31d9b7987..0182e9dad 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,11 +9,12 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include - include include @{exec_path} mr, + /usr/share/mime/mime.cache r, + owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 257e91c0a..1f29958d1 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,21 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include - include include - include - include include include - signal receive set=term peer=gdm, - signal receive set=term peer=gdm-session, - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mrix, @{shells_path} rix, @@ -72,8 +61,6 @@ profile gnome-session @{exec_path} { owner @{HOME}/ r, - owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 5359a70df..447c030d6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,16 +9,18 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include + include include - include include + include + include include include include include - include network inet stream, network inet6 stream, @@ -26,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal receive set=(term, hup) peer=gdm*, - signal send set=(term) peer=gsd-*, + signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -65,7 +67,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, - owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 24c069e72..b7706ccf4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,39 +10,41 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include include include include include + include + include include include include include - include + include + include + include include + include include include + include include - include - include - include - include + include + include include include include include include include - include include - include include - include include include - include + include capability sys_nice, capability sys_ptrace, @@ -70,45 +72,48 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity - #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} - #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager - #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications - #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - # Talk with gnome-shell - # The strategy with dbus rules in this profile is first to declare all communications - # needed on buses and to limit them only to their profiles in apparmor.d. As such, - # only dbus directive is used for this. Later, some communications could be - # restricted. - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding - #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs - #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + # System bus + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=RegisterAuthenticationAgent + peer=(name=:*, label="@{p_polkitd}"), + dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=:*, label="@{p_polkitd}"), + + dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager + interface=org.freedesktop.NetworkManager.AgentManager + member={RegisterWithCapabilities,Unregister} + peer=(name=:*, label=NetworkManager), + # Session bus dbus send bus=session path=/org/gnome/** @@ -151,7 +156,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}), + peer=(name=:*), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -162,7 +167,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, @{bin}/flatpak rPx, - @{bin}/gjs-console rPx -> gnome-extension, + @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/sensors rPx, @@ -176,13 +181,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rCx -> shell, @{bin}/pkexec rCx -> pkexec, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, @{lib}/gio-launch-desktop rCx -> open, - @{python_path} rCx -> python, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, + /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, @@ -274,23 +279,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, - owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, + owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @@ -319,6 +323,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -334,9 +339,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, - @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -350,8 +353,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -380,6 +381,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, @@ -432,15 +434,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } - profile python { - include - include - - # /usr/share/gnome-shell/extensions/{,**} - - include if exists - } - profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 37bb7b374..2f3e51670 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,7 +11,6 @@ profile gnome-shell-calendar-server @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer @@ -36,6 +35,8 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 56e448fd8..51d5b43cf 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,10 +10,11 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include - include @{exec_path} mr, + /usr/share/mime/mime.cache r, + @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 0b1602fbb..71141595b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,10 +13,11 @@ profile gnome-software @{exec_path} { include include include + include + include include include include - include include include @@ -32,19 +33,13 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed - peer=(name=@{busname}, label=polkitd), + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" @{exec_path} mr, @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, - @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 152b28ff7..e4ac12011 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -10,8 +10,9 @@ include profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include include - include - include + include + include + include include include @@ -21,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace read, + ptrace (read), - signal send set=(kill term cont stop), + signal (send) set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -74,7 +75,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index fe380dadd..cda4568c1 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,8 +10,11 @@ include profile gnome-terminal-server @{exec_path} { include include + include include + include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 8aa950e2c..c399eadc7 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,10 +10,8 @@ include profile gnome-text-editor @{exec_path} { include include - include include include - include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index b7c138285..8176d6c7c 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,6 +12,7 @@ profile goa-daemon @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 4509a6159..3992811c2 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 22aaba164..5f05c21da 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include - include include + include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -28,6 +27,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1a52321b1..1b12a68cd 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,10 +10,13 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include + include include include + include include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0364f3f2b..0190ad9b3 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include - include include + include + include include - include include network inet dgram, @@ -35,6 +34,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 497462a03..35f43a93e 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,12 +11,12 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include + include + include include include include - include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index be27a873e..cbb8ccf71 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,10 +10,13 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + include include include - include - include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b299ab7ff..7f02d8bf4 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,19 +10,22 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include + include include include + include include - include - include + include + include + include include include include include include - include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d3ac6b456..379f7b814 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,24 +10,27 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include + include include include include + include include include + include include - include + include + include + include include include include include include - include - include - include network inet stream, network netlink raw, @@ -37,22 +40,16 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=@{busname}, label="@{p_upowerd}"), + peer=(name=:*, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Suspend - peer=(name=@{busname}, label="@{p_systemd_logind}"), + peer=(name=:*, label=gsd-xsettings), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 22ec520cb..59123f485 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,13 +9,11 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include - include - include - include - include - include + include + include include include @@ -32,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} + member={ServerStarted,PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session @@ -40,6 +38,24 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member={CacheExhausted,ItemNew} + peer=(name=@{busname}, label=avahi-daemon), + dbus receive bus=system path=/Client4/RecordBrowser3 + interface=org.freedesktop.Avahi.RecordBrowser + member=ItemNew + peer=(name=@{busname}, label=avahi-daemon), + @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index a768c8d1e..b85a40f04 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include include - include - include - include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 7283c5c00..5f1c13d9d 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -15,7 +15,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index ac2f9229d..546a252d7 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -11,7 +11,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 9d432ae13..45b3ea1b9 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,13 +9,12 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include include include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -31,15 +30,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 - interface=org.freedesktop.NetworkManager.VPN.Connection - member=VpnStateChanged - peer=(name=@{busname}, label=NetworkManager), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 5143b9984..bdacbfd00 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,14 +9,12 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include - include include + include + include include - include include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -31,7 +29,9 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ff2d30766..871203e6c 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -12,10 +12,9 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include - include signal receive set=(term, hup) peer=gdm*, @@ -30,6 +29,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index bcdb353a8..2359c9f39 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,22 +10,14 @@ include profile gsd-usb-protection @{exec_path} { include include - include - include - include include - include - include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 3d4f2cb05..484dda29d 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,8 +10,11 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include + include include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 3a5ee53df..ab2b2b089 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,17 +10,10 @@ include profile gsd-wwan @{exec_path} { include include - include include - include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 20151eec0..2e21750b9 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,13 +9,16 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include + include include include - include + include include - include + include + include include include include @@ -40,7 +43,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={UserAdded,UserDeleted} + member=UserAdded peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index f843d6c14..a32a3d8c3 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -39,7 +39,6 @@ profile kgx @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index ea1566757..049b3c402 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,8 +11,10 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include + include + include include include include @@ -22,7 +24,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, @@ -46,8 +47,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, - /etc/fstab r, - # Allow to search user files owner @{HOME}/ r, owner @{HOME}/{,**} r, @@ -58,11 +57,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner @{GDM_HOME}/ r, - owner @{GDM_HOME}/*/ r, - owner @{gdm_cache_dirs}/tracker3/{,**} rwk, - owner @{gdm_config_dirs}/user-dirs.dirs r, - @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -74,6 +68,9 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + /dev/video@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index ea55ee902..398b2b679 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include include include + include include include include @@ -25,8 +27,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=loupe//bwrap, - #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" dbus send bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index d5c83a31b..ae225aa65 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -10,7 +10,10 @@ include profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include + include include + include + include include include include @@ -26,7 +29,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index c405a3bf8..5ad6bb7b5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,14 +9,16 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include + include include include include + include include include include - include - include + include + include include include include @@ -33,7 +35,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell @@ -64,15 +65,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session - interface=org.freedesktop.Application - member=Open, - - dbus send bus=session path=/org/gnome/Nautilus - interface=org.gtk.Application - member={CommandLine,DescribeAll} - peer=(name=org.gnome.Nautilus, label=nautilus), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index e1bde2238..f084e7b12 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,15 +10,14 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include - include include include include include include - include include include + include network netlink raw, @@ -53,6 +52,8 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/media@{int} r, + include if exists } diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6c4fe6f12..9a22e3de8 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/papers -profile papers @{exec_path} flags=(attach_disconnected) { +profile papers @{exec_path} { include include include @@ -16,31 +16,20 @@ profile papers @{exec_path} flags=(attach_disconnected) { include include - #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 - interface=org.freedesktop.portal.Session - member=Close - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mr, @{open_path} Cx -> open, /usr/share/poppler/{,**} r, - /etc/passwd r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, - /tmp/ r, - /var/tmp/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 3195d7f03..838dc940c 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,13 +9,13 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include + include include include - include unix type=stream peer=(label=ptyxis-agent), - #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application + #aa:dbus own bus=session name=org.gnome.Ptyxis @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 6418193a6..cf497e39f 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -10,18 +10,16 @@ include profile ptyxis-agent @{exec_path} { include include - include + include include include - include + include include - signal send set=hup peer=@{p_systemd}, + signal send set=hup peer=unconfined, ptrace read, - unix type=stream peer=(label=ptyxis), - @{exec_path} mr, @{bin}/podman Px, @@ -44,15 +42,8 @@ profile ptyxis-agent @{exec_path} { unix bind type=stream addr=@@{udbus}/bus/systemd-run/, @{bin}/systemd-run mr, - - # The shell is not confined on purpose. @{bin}/@{shells} Ux, - # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, - owner @{run}/user/@{uid}/systemd/private rw, include if exists diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index c34526ee1..2f190dfab 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,15 +9,17 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include - include + include include include + include + include include + include + include include include include - include - include include #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 @@ -32,6 +34,7 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, + /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index b31532cae..aeb46f6c0 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,9 +9,8 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include include - include + include include @{exec_path} mr, @@ -22,6 +21,7 @@ profile session-migration @{exec_path} { @{bin}/gsettings rPx, /usr/share/session-migration/scripts/* rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/ w, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e200ecb42..e8612f7b6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,9 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include + include include include include @@ -20,7 +20,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, @@ -74,6 +73,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} r, + /dev/video@{int} rw, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 85b7b0d53..6b358c8b0 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,18 +11,17 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include + include + include include include include include include - include include include - include network netlink raw, @@ -87,6 +86,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40c23b660..b65823520 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,7 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, @@ -39,7 +39,6 @@ profile gpg @{exec_path} { /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt - /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 6ece8a60b..5e65fe835 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 32136d710..7f50d8b45 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -17,7 +17,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 017a66e84..3f2fb0138 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -17,12 +17,12 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=goa-daemon), + peer=(name=:*, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index ece97e688..dd03254b1 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index fd3b38012..6fbbc6092 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -20,7 +20,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 80f7f86a9..4ed214b71 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -35,7 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index e3e3edfae..c124c5855 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,22 +18,20 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker - # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=@{busname}, label=gvfsd-*), + peer=(name=:*, label=gvfsd-*), - # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=@{busname}, label=gvfsd-*), + peer=(name=:*, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 5a1fd1c82..e1b16cac3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,11 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include - include - include - include - include - include include capability chown, @@ -23,15 +18,10 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, + /usr/share/mime/mime.cache r, + #aa:lint ignore=too-wide # Full access to system's data, but no write access to sensitive system directories / r, diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index da231f469..68d4b689e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index db6fe5a48..eeaaec059 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index a39e25785..48680f12f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 68b1e7765..918841320 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,20 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include - include - include - include - include include include - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index 09062241a..b70fa7110 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 356f8dcd3..0648f5dc0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 667b448c4..6eebca738 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,18 +11,9 @@ include profile gvfsd-computer @{exec_path} { include include - include - include - include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index b335724cb..77e1a2f6f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include - include - include - include - include include include include @@ -28,13 +24,6 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index aad9de3a0..ab786106c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,14 +12,31 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include - include - include - include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 3b36fc4f1..5b7c833a5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include - include - include - include - include include include include @@ -24,13 +20,6 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index f67068f49..2695a1bf7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,9 +11,7 @@ include profile gvfsd-fuse @{exec_path} { include include - include - include - include + include include capability sys_admin, @@ -22,20 +20,20 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterFuse + peer=(name=:*, label=gvfsd), - dbus receive bus=session + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, - owner @{run}/user/@{uid}/gvfsd-fuse/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, - @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index 819e84c39..eb80f3a7a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 0544000c0..688f03c27 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2678bde40..f51ef2afe 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,11 +11,9 @@ include profile gvfsd-http @{exec_path} { include include - include - include - include + include include - # include + include include include include @@ -27,15 +25,25 @@ profile gvfsd-http @{exec_path} { network netlink raw, unix type=stream peer=(label=gnome-shell), - unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index d1af3c60c..5ffbabb40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,9 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include - include - include - include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 8565856d9..f6f3820bb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,9 +11,6 @@ include profile gvfsd-metadata @{exec_path} { include include - include - include - include include network netlink raw, @@ -21,12 +18,11 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 8d5ad78c5..3c747b8b3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include - include - include - include - include include include include @@ -23,18 +19,10 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - owner @{HOME}/ r, - owner @{HOME}/** rw, - owner @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, # FIXME: ? + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 7874686bc..1af0a2b37 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,22 +11,41 @@ include profile gvfsd-network @{exec_path} { include include - include - include - include + include + include include - include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index aae859d73..575d9de39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,23 +10,12 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include - include - include - include - include include network inet stream, network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ca59d75cd..1219c8cbd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,16 +11,27 @@ include profile gvfsd-recent @{exec_path} { include include - include - include - include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 862ef88aa..76bb55e98 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,21 +11,34 @@ include profile gvfsd-sftp @{exec_path} { include include - include - include - include + include include include include - include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gnome-extension-gsconnect), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=nautilus), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 9d99a43af..24891e9c3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include - include - include - include - include include include @@ -23,13 +19,6 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 66099563e..59d778133 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,11 +11,8 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include - include - include + include include - include include network netlink raw, @@ -25,15 +22,21 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 070c41a84..e13f870c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,9 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include - include - include - include + include include include include @@ -23,12 +21,26 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4ea39c7d0..0dee4e73b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,16 +11,31 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include - include + include + include include - network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name="@{busname}", label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-network), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -32,7 +47,6 @@ profile gvfsd-wsdd @{exec_path} { @{bin}/env mr, @{bin}/wsdd rPx, - @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/wsdd rw, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 6d0674d9f..3cb8dca92 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,11 +9,12 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include - include include @{exec_path} mr, + /usr/share/icons/** r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 7becc5fb6..a46d53f4c 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,11 +9,12 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include - include @{exec_path} mr, @{bin}/wl-copy Px, + /usr/share/icons/** r, + owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index b5e1b4ae8..2307c709f 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,8 +10,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include include include + include include include include @@ -32,7 +34,6 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, - @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 33660a776..64372f497 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,7 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include include + include include include include diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 022c0beec..2d3b099d7 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -25,11 +25,7 @@ profile dolphin @{exec_path} { network netlink raw, - signal send set=hup peer=@{p_systemd}, - signal send set=term peer=kioworker, - - ptrace read peer=@{p_systemd}, - ptrace read peer=okular, + signal (send) set=(term) peer=kioworker, @{exec_path} mr, @@ -113,11 +109,10 @@ profile dolphin @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty rw, + /dev/tty r, include if exists } diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index dbca9fcf5..b30e39cdc 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include include + include include + include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 1fdb4b920..4b1e734ed 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,7 +10,9 @@ include profile kaccess @{exec_path} { include include + include include + include include include include @@ -22,11 +24,15 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, + /usr/share/icons/{,**} r, + /etc/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, + owner @{user_share_dirs}/mime/generic-icons r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1..ead285e5f 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,6 +11,7 @@ include profile kactivitymanagerd @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 59f60c285..4f8b10a32 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -11,6 +11,7 @@ profile kcminit @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 6a01748fd..ee42fef98 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,6 +12,7 @@ profile kconf_update @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 7d6daeda6..01706e649 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,15 +11,17 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include include include + include include include + include include include include include - include capability wake_alarm, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 678c64e71..93c70329e 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,18 +9,21 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include - include #aa:only apt include + include include include + include + include include include include - include + include #aa:only apt include include include include + include include include include diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf928..b9c09d0c6 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 571581059..cf9646051 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,6 +20,9 @@ profile kiod @{exec_path} { @{exec_path} mr, + /usr/share/icons/breeze/index.theme r, + /usr/share/mime/{,**} r, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 0fc81a764..71465df97 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,7 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs{,.bin} rix, + @{bin}/gs rix, #aa:exec kio_http_cache_cleaner diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 446d8a08d..fa55e177d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,7 +11,9 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include + include include include include diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index e44ee1f83..00b4c9630 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,7 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include + include include + include include include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 192d3f957..ddd14b5c2 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include + include + include include include include include include include - include network netlink raw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 09a228e29..f4d54c295 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,6 +11,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 711da6e9d..e46237c2a 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,8 +11,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include + include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 770625988..ea80e28cd 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include include + include include include include diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 04d084d0c..fa0f88f75 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 0a685d8e5..de175635a 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,10 +11,13 @@ include profile kwalletd @{exec_path} { include include + include include + include include include include + include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 224835ac2..e2e3ecfe0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,8 +10,10 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include + include include include include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8cc233ff2..f4f955a4f 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include include include include @@ -40,7 +41,6 @@ profile kwin_x11 @{exec_path} { /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, - /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index a2ffad26f..acd9b7430 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,8 +23,6 @@ profile okular @{exec_path} { network netlink raw, - ptrace read peer=@{p_systemd}, - signal send set=term peer=kioworker, @{exec_path} mr, @@ -71,7 +69,7 @@ profile okular @{exec_path} { owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -84,7 +82,6 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 600d1be48..e767d7bb5 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,11 +11,14 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include + include include include include + include include include include @@ -28,7 +31,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include userns, @@ -75,6 +77,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker + /opt/**/share/icons/{,**} r, + /opt/*/**/*.desktop r, + /opt/*/**/*.png r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 1b8930f06..08835eaf0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include - include include capability audit_write, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 47383bb75..c9aca546a 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} { include include include + include include include include include include include - include network netlink raw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 64e332dc5..5db93719c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -12,7 +12,7 @@ profile startplasma @{exec_path} { include include include - include + include include include @@ -48,6 +48,8 @@ profile startplasma @{exec_path} { /etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasmarc r, + /var/lib/flatpak/exports/share/mime/ r, + @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 9558a6528..a78225b67 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,7 +10,9 @@ include profile systemsettings @{exec_path} { include include + include include + include include include include diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 5c36f579e..93259822e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include include + include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index a9a75aa90..8729b1abb 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lxqt-globalkeysd profile lxqt-globalkeysd @{exec_path} { include + include include include diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 5783c1fa0..9477c1bda 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -14,6 +14,7 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, + /usr/share/icons/ r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 910ea7c5f..3a4a6cd61 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -11,6 +11,7 @@ include profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -46,6 +47,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, + /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 3ae907116..a708e2336 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,6 +31,7 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fca80465d..f27449e77 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -11,7 +11,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -48,23 +48,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=gnome-control-center), - - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=nm-online), - dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 @@ -80,11 +63,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=cockpit-bridge), - @{exec_path} mr, @{sh_path} rix, @@ -106,14 +84,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, - @{lib}/netplan/@{int2}-network-manager-all.yaml w, - /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, - /etc/netplan/ r, - /etc/netplan/90-NM-@{uuid}.yaml r, - @{att}/ r, /etc/ r, @@ -137,9 +110,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/resolve/io.systemd.Resolve rw, - @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @@ -164,7 +135,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 133e4bc00..639d3ce4b 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,6 +15,9 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include + include + include include network inet stream, diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index a0fad0a93..5855131a8 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -9,12 +9,9 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan @{exec_path} flags=(attach_disconnected) { include - include include include - #aa;dbus owb bus=system name=io.netplan.Netplan - @{exec_path} mr, @{lib}/netplan/generate rPx, @@ -23,8 +20,6 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /usr/share/netplan/{,**} r, - /etc/netplan/{,*} r, - @{run}/netplan/ r, profile udevadm { @@ -47,10 +42,6 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, - ptrace read peer=@{p_systemd}, - - @{run}/udev/control rw, - include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index cea17b81c..74ed20aaf 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -26,8 +26,6 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, - @{run}/NetworkManager/conf.d/netplan.conf rw, - @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index b4da14960..6065a12da 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,25 +16,11 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=@{busname}, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=@{busname}, label=NetworkManager), - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, - /etc/netplan/* r, - owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 2a513b84e..b5a6b83ef 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -66,8 +66,6 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, - /dev/net/tun rw, - profile update-resolv { include include diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 0650470ac..1d81292fd 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken -# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,18 +9,9 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include - include - - capability setgid, - capability setuid, @{exec_path} rm, - /etc/netconfig r, - - @{run}/rpcbind.lock rwkl, - @{run}/rpcbind/*.xdr rwkl, - include if exists } diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index d68c0b832..8331951e7 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -41,9 +41,6 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, - @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, - @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, - owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index eef992666..cab9eed4b 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, @@ -19,18 +20,17 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk ix, - @{bin}/cat ix, - @{bin}/cmp ix, - @{bin}/find ix, - @{bin}/locate ix, - @{bin}/pacman ix, - @{bin}/pacman-conf Px, - @{bin}/pacsort ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/tput ix, - @{editor_path} Cx -> editor, + @{bin}/{m,g,}awk rix, + @{bin}/cat rix, + @{bin}/cmp rix, + @{bin}/find rix, + @{bin}/locate rix, + @{bin}/pacman rix, + @{bin}/pacman-conf rPx, + @{bin}/pacsort rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tput rix, # packages files / r, @@ -44,15 +44,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, - profile editor { - include - include - - /etc/** rw, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 41b45c9d0..427ac0141 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -46,49 +46,71 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - # Pacman's keyring - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, - # Common program found in hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/dot ix, - @{bin}/filecap ix, - @{bin}/getent ix, - @{bin}/gettext ix, - @{bin}/gzip ix, - @{bin}/rsync ix, - @{bin}/setfacl ix, - @{bin}/tput ix, - @{bin}/vercmp ix, - @{bin}/which{,.debianutils} ix, - @{bin}/xmlcatalog ix, - @{sbin}/iconvconfig ix, - @{sbin}/iscsi-iname ix, - @{sbin}/setcap ix, - - @{bin}/dbus-send Cx -> bus, - @{bin}/gdbus Cx -> bus, - @{bin}/killall Cx -> pkill, - @{bin}/kmod Cx -> kmod, - @{bin}/pkill Cx -> pkill, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/ldconfig Cx -> ldconfig, - - #aa:lint ignore=too-wide - # Hooks & install scripts can legitimately start/restart anything - # PU is only used as a safety fallback. - @{bin}/** PUx, - @{sbin}/** PUx, - /opt/*/** PUx, - /etc/** PUx, - /usr/share/** PUx, - - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, - @{lib}/systemd/systemd-* Px, - @{lib}/vlc/vlc-cache-gen Px, + # Pacman hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/appstreamcli rPx, + @{bin}/arch-audit rPx, + @{bin}/archlinux-java rPx, + @{bin}/bootctl rPx, + @{bin}/cert-sync rPx, + @{bin}/checkrebuild rPUx, + @{bin}/dconf rPx, + @{bin}/dot rix, + @{bin}/fc-cache{,-32} rPx, + @{bin}/filecap rix, + @{bin}/gdbus rix, + @{bin}/gdk-pixbuf-query-loaders rPx, + @{bin}/getent rix, + @{bin}/gettext rix, + @{bin}/ghc-pkg-@{version} rPx, + @{bin}/gio-querymodules rPx, + @{bin}/glib-compile-schemas rPx, + @{sbin}/groupadd rPx, + @{bin}/gtk-query-immodules-* rPx, + @{bin}/gtk{,4}-update-icon-cache rPx, + @{sbin}/iconvconfig rix, + @{bin}/install-catalog rPx, + @{bin}/install-info rPx, + @{sbin}/iscsi-iname rix, + @{bin}/journalctl rPx, + @{bin}/killall rix, + @{sbin}/ldconfig rix, + @{sbin}/locale-gen rPx, + @{bin}/limine-install rPUx, + @{bin}/mkinitcpio rPx, + @{sbin}/needrestart rPx, + @{bin}/pacdiff rPx, + @{bin}/pacman-key rPx, + @{bin}/pkgfile rPUx, + @{bin}/pkill rix, + @{bin}/rsync rix, + @{bin}/sbctl rPx, + @{sbin}/setcap rix, + @{bin}/setfacl rix, + @{sbin}/sysctl rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-* rPx, + @{bin}/tput rix, + @{bin}/update-ca-trust rPx, + @{bin}/update-desktop-database rPx, + @{sbin}/update-grub rPx, + @{bin}/update-mime-database rPx, + @{bin}/vercmp rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xmlcatalog rix, + @{lib}/systemd/systemd-* rPx, + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, + @{lib}/vlc/vlc-cache-gen rPx, + /opt/Mullvad*/resources/mullvad-setup rPx, + /usr/share/code-features/patch.py rPx, + /usr/share/code-marketplace/patch.py rPx, + /usr/share/libalpm/scripts/* rPUx, + /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, @@ -174,8 +196,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, - ptrace read peer=@{p_systemd}, - signal send set=cont peer=child-pager, signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, @@ -187,66 +207,11 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/*.journal* r, include if exists } - profile bus { - include - include - include - - @{bin}/gdbus rix, - - include if exists - } - - profile pkill { - include - include - - @{bin}/killall mr, - @{bin}/pkill mr, - - include if exists - } - - profile kmod { - include - include - - include if exists - } - - profile ldconfig { - include - include - - @{sh_path} rix, - @{sbin}/ldconfig mrix, - - @{lib}/ r, - /usr/local/ r, - /usr/local/lib/ r, - - /opt/cuda/**/@{lib}/ r, - /opt/cuda/**/@{lib}/@{multiarch}/ r, - - /etc/ld.so.cache rw, - /etc/ld.so.cache~ rw, - - /var/cache/ldconfig/ rw, - owner /var/cache/ldconfig/aux-cache* rw, - - include if exists - } - include if exists include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3e916efe3..ee23781f4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -19,7 +19,6 @@ profile pacman-hook-code @{exec_path} { @{python_path} rix, @{lib}/code/product.json rw, - @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 860fb34ea..0878385c5 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,8 +46,6 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, - ptrace read peer=@{p_systemd}, - signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index fa00311cd..c2de7f8b6 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -65,9 +65,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index ef14d9ca9..d59fde5e5 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -105,14 +105,12 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index d10c1e772..489f55bd7 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} flags=(attach_disconnected) { +profile pgrep @{exec_path} { include include include diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 7663cbf5d..1d9ae50cb 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -34,7 +34,6 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 9530b8594..927d7a3da 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} flags=(attach_disconnected) { @@ -17,19 +17,13 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include include - include capability chown, capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, - capability sys_ptrace, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, network netlink raw, ptrace read peer=snap.*, @@ -42,7 +36,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -65,11 +59,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rCx -> run, # Start snap from the cli - @{bin}/unsquashfs rCx -> unsquashfs, @{bin}/xdg-settings rCx -> xdg-settings, - @{bin_dirs}/xdelta3 ix, - @{lib_dirs}/** mr, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -88,9 +80,6 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{HOME}/.snap/{,**} rw, @{HOME}/snap/{,**} rw, - @{user_pkg_dirs}/** r, - - owner @{tmp}/read-file@{int}/unpack/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, @@ -187,30 +176,14 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include - capability net_admin, - network unix stream, - network (send receive) netlink raw, - @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, include if exists } - profile unsquashfs { - include - - @{bin}/unsquashfs mr, - - /**.snap r, - - owner /tmp/read-file@{int}/unpack/{,**} w, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns index 0ccb3f1c7..38396f3eb 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index bed3a2d12..edc9845e8 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 90c1724be..2a14fd583 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 5d08a4240..157651ac3 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { @@ -34,24 +34,17 @@ profile snap-update-ns @{exec_path} { @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - - /usr/share/xml/ r, - /usr/share/xml/iso-codes/ rw, + /usr/share/xml/iso-codes/ w, /var/lib/snapd/mount/{,*} r, / r, /tmp/ r, - @{lib}/ r, /usr/ r, /usr/local/ r, /usr/local/share/ r, /usr/local/share/doc/ rw, /usr/local/share/fonts/ rw, - /usr/share/ r, - /usr/share/drirc.d w, - /usr/share/X11/ r, - /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 87e535b3f..7e2c288b6 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { @@ -97,11 +97,9 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/ rw, - /usr/share/dbus-1/{system,session}.d/snapd* rw, + /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**} r, - /usr/share/polkit-1/actions/snap.*.policy* rw, + /usr/share/polkit-1/actions/{,**/} r, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -149,7 +147,6 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, - @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, @@ -191,8 +188,6 @@ profile snapd @{exec_path} { network netlink raw, - ptrace read peer=@{p_systemd}, - /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, @@ -233,12 +228,6 @@ profile snapd @{exec_path} { @{sbin}/runuser mr, - @{sh_path} ix, - @{bin}/gzip ix, - @{bin}/tar ix, - - owner @{HOME}/snap/*/{,**} r, - include if exists } diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener index 37730ba6f..7b9adced7 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui index 99dc98efe..0d26f42d3 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 47b939fa0..63251a976 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0d6826490..bf71a8463 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -12,7 +12,6 @@ profile ssh @{exec_path} { include include include - include include network inet stream, @@ -44,8 +43,6 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/krb5cc_* rwk, - audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 9fc2900b4..f6732b1cf 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,7 +13,6 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, - signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 738268b0a..b55824e58 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,13 +15,10 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, - @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, - /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ rw, - owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 633076ad6..63f2c1370 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,8 +69,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sbin}/sshd.hmac r, - @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, @@ -104,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index ee6a2f903..12e7d8930 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{MOUNTS}/*/, mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), @{exec_path} mr, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index e3fcb1931..abfab75d7 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -41,7 +41,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include capability sys_ptrace, @@ -246,6 +245,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, + /dev/uinput w, deny /opt/** r, @@ -353,6 +353,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/version r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 9767a2e72..557e4ab6e 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -13,8 +13,7 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index ff4c74664..8e3ebb6b3 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -10,13 +10,14 @@ include profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include - include include capability net_admin, @{exec_path} mr, + @{system_share_dirs}/applications/*.desktop r, + @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index eed7080f8..04ed76e72 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include + include include include + include include include include diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 06969ef47..d1ee1141c 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -68,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 9792fb75f..0d46dbfed 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} flags=(attach_disconnected) { +profile localectl @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 061b93ffd..db1854f1f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,7 +52,6 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, - @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -60,11 +59,9 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, - @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b49c20fc..01e49025f 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,10 +11,11 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include + include - capability sys_ptrace, + capability net_admin, - ptrace read peer=@{p_systemd}, + network netlink raw, @{exec_path} mr, @@ -31,22 +32,11 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, - @{sys}/hypervisor/type r, - @{PROC}/1/environ r, - @{PROC}/device-tree/ r, - @{PROC}/device-tree/compatible r, - @{PROC}/device-tree/hypervisor/compatible r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sysinfo r, @{PROC}/xen/capabilities r, /dev/cpu/@{int}/msr r, - deny capability net_admin, - deny capability perfmon, - deny network (send receive) netlink raw, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 1bbb91858..0381b93b1 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=@{p_systemd}, + ptrace read peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 8fae34b29..01d04989b 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -44,8 +44,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_serial r, - @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index e0a8a2e47..ad3d96990 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace read, + ptrace (read), @{exec_path} mr, @@ -82,7 +82,6 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index cefab3890..e98bef009 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,30 +24,18 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/cat ix, - @{bin}/gzip ix, - @{bin}/localedef ix, - @{bin}/rm ix, - @{bin}/sort ix, - @{sbin}/locale-gen rPx, - - /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, - /etc/ r, /etc/.#locale.conf@{hex16} rw, - /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf rw, - /etc/locale.gen rw, - /etc/nsswitch.conf r, - /etc/passwd r, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ rw, /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6b102829d..271354633 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -124,22 +124,19 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, - @{att}/dev/dri/card@{int} rw, - + /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index a2115a926..c791e6375 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace read, + ptrace (read), mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 0d061d845..747527776 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,10 +10,11 @@ include profile systemd-path @{exec_path} { include include - include @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 73213160b..96b182e5f 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,8 +23,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - @{etc_ro}/blkid.conf r, - @{etc_ro}/blkid.conf.d/{,**} r, + /etc/blkid.conf r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 34e7255ab..bf983ea7a 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -13,7 +13,6 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include capability net_admin, - capability sys_admin, capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index a55bf752d..d7c61e336 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,8 +19,6 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} mr, - @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 5b9c51dbe..4cbe61755 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,8 +13,6 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{lib}/pm-utils/power.d/*hdparm-apm ix, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index e29a41a7a..94e2e8daf 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,9 +12,6 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, - @{lib}/sysstat/sa{1,2} Px, - @{lib}/sysstat/debian-sa{1,2} Px, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index c2c107b1f..4f2cce637 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,7 +11,6 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, - @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index b65f2b7af..ffed031b5 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,14 +23,6 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={DisableUnitFiles,EnableUnitFiles} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={JobRemoved,Reload,StartUnit,StopUnit} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index cb9592d47..62bada2a8 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -98,7 +98,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, - @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, @{att}/@{run}/systemd/notify w, @@ -128,14 +127,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - - @{sh_path} rix, - @{bin}/kmod ix, - - @{sys}/module/*/initstate r, - @{sys}/module/compression r, - include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 193bfc9b6..473848ef3 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rCx, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,14 +31,10 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod flags=(attach_disconnected) { + profile kmod { include include - capability sys_module, - - @{sys}/module/compression r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 211dda9cc..2fa7bb92a 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,9 +9,9 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 6d90cadda..271ff23e4 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,12 +9,14 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include - include include + include include + include + include + include include include - include include include include @@ -115,6 +117,7 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 2555d0373..a04fc771d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index e8f03807d..2edc09970 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 91c8b29cc..9734803e4 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 2b7b2b4ee..65a19e0e0 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,8 +9,11 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include + include + include include + include + include include include include diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e9c4c9ab3..2d3eebbc2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index c85fb9966..d5ad6e06c 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 5e4b09ce3..91bc4876f 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index fb8eb259e..4d5ecb46a 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 1703d27cd..37f7f72a5 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 72e016573..8d55ec0b7 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include @@ -19,16 +19,11 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=software-properties-gtk), - - dbus receive bus=system path=/ - interface=com.ubuntu.SoftwareProperties - member=Reload - peer=(name=@{busname}, label=software-properties-gtk), + peer=(name=:*, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 836adbb55..440ef4117 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include - include include + include include include + include include + include + include include include include @@ -41,10 +44,12 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, + /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, @@ -59,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{rand8} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 4ede61bc8..e8d847e92 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include @@ -60,10 +60,9 @@ profile ubuntu-advantage @{exec_path} { @{run}/ubuntu-advantage/{,**} rw, + @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, - @{PROC}/1/cgroup r, - @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index a44e226bc..bf3d4c6c0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 873f06b67..bcdcf108d 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,20 +9,23 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include - include include + include include include + include include include include + include + include + include include include include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 09775cb6f..88967baf8 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 06e851b45..8e9cddd54 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,15 +9,18 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include - include include + include include include + include + include + include include + include include include include - include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, @@ -25,11 +28,6 @@ profile update-notifier @{exec_path} { #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell - dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending - interface=com.ubuntu.UnattendedUpgrade.Pending - member=Finished - peer=(name=@{busname}, label=unattended-upgrade), - @{exec_path} mr, @{sh_path} rix, @@ -51,7 +49,6 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, - @{open_path} Cx -> open, @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, @@ -98,13 +95,6 @@ profile update-notifier @{exec_path} { include if exists } - profile open { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index a10659292..b5a24940d 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -14,7 +14,6 @@ profile lsusb @{exec_path} { include capability net_admin, - capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 2976d1316..14ace0dea 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -13,7 +13,6 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, - capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index 5366f1403..3620018a7 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -18,7 +18,6 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 6fc1d5bb2..7559e4e48 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,7 +27,6 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index e5293021c..866da3d6a 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} flags=(attach_disconnected) { +profile su @{exec_path} { include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d9ca9e164..d951bfe03 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/{,gnu}who +@{exec_path} = @{bin}/who profile who @{exec_path} { include include diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 9015d2157..a6c9149d2 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include - include capability sys_admin, capability net_admin, @@ -33,6 +32,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, + /usr/share/mime/globs2 r, + @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index d8c71803d..bf3d48204 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,10 +11,7 @@ profile cockpit-bridge @{exec_path} { include include include - include - include include - include include include @@ -40,8 +37,6 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} - #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index ba51fc8a5..3fbefadb7 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,7 +10,6 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include - include include include @@ -29,8 +28,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, - @{bin}/ssh-add rix, + @{bin}/ssh-agent rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 59c4b9473..2142e28b9 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -68,6 +68,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, + /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 971cdf55e..f3bbaf019 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -16,11 +16,6 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{sbin}/libvirtd rPx, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 378449352..44d6962f5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,11 +19,10 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include - include include capability audit_write, @@ -93,11 +92,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -142,6 +136,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, @@ -162,8 +157,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, - owner @{user_config_dirs}/libvirt/{,**} rwk, - owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, @@ -284,7 +277,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - @{PROC}/@{pids}/status r, + owner @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 10096bce2..2fcd83048 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 41e098548..fc73a14c9 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman deleted file mode 100644 index 270f7266f..000000000 --- a/apparmor.d/groups/xfce/xfce-clipman +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2025 Sighy Brantler -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xfce4-clipman -profile xfce-clipman @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, - - owner @{user_cache_dirs}/xfce4/clipman/ r, - owner @{user_cache_dirs}/xfce4/clipman/* rw, - - owner @{user_config_dirs}/autostart/ r, - owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, - owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 021a377b8..9e74d8046 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include + include include include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index be813a84d..c594b8ed3 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 00c5d8700..b04ed2eb9 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 11ccca455..91be9eede 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -10,6 +10,7 @@ include profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e9e19cca5..2c0f13bc1 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index be0f5c73d..beddcce1f 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -11,6 +11,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 0f8836326..8d2f06a75 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index 6bc5ec15c..ff36e8459 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,6 +10,7 @@ include profile xfdesktop @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index d3f88c196..22db3f80d 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,6 +10,7 @@ include profile xfsettingsd @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index c41e5254f..7ecd2c8fe 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 87908dc9e..b4cfb56e6 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include + include include + include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 55502dd3e..284c35911 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include + include include + include + include include include - include + include + include + include include include include + include network netlink raw, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 544be3be0..6d2683ade 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -33,7 +33,6 @@ profile borg @{exec_path} { @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, - @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bac8aea75..4910629ce 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -48,7 +48,7 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 281d15718..bba3dfedb 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,8 +12,11 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include + include include + include include + include include include include diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index 33b933be2..b89fa42f2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -11,12 +11,10 @@ include profile cheese @{exec_path} { include include - include include include include include - include include include @@ -51,6 +49,9 @@ profile cheese @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + /dev/video@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider deleted file mode 100644 index be59811a1..000000000 --- a/apparmor.d/profiles-a-f/cider +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = {C,c}ider sh.cider.genten -@{domain} = sh.cider.genten org.chromium.Chromium -@{lib_dirs} = @{lib}/cider -@{cache_dirs} = @{user_cache_dirs}/@{name} -@{config_dirs} = @{user_config_dirs}/@{name} - -@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider -profile cider @{exec_path} { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mrix, - - @{lib_dirs}/ r, - @{lib_dirs}/** r, - @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rPx, - - @{bin}/xdg-settings rPx, - - owner @{user_config_dirs}/sh.cider.genten/ rw, - owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/statm r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index aa0a56648..7a11e407f 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -13,7 +13,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/uname rix, + @{bin}/uname rPx, @{bin}/mkdir rix, @{run}/console-setup/ rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 2e7723995..87c2bbaba 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -13,16 +13,16 @@ include @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include - include include include - include - include - include include + include + include + include include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 0991a243e..3b34d5055 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,9 +17,10 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include + include + include include include - include include include diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 57487b15c..f40d69799 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,11 +16,11 @@ include profile dropbox @{exec_path} { include include + include include include include include - include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 59cfa3577..ec7ee9c65 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -16,11 +16,12 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include + include include + include include include include - include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 3e650962f..c302ff400 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,8 +10,11 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include + include include - include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 10b5ad4af..e07c91f3d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,14 +9,15 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include + include include + include include include - include + include include include include - include include include include @@ -29,6 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index dcd28ddc9..1597c35af 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 6fbabaf28..95fdba512 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include - include @{exec_path} mr, + /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 3d13b813f..5ec394807 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include + include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 16bafb886..366c2aed6 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include + include + include include include include include - include include include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 7ce69ab64..b22730a27 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include - include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index b820f249c..95e37b4d6 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,10 +17,11 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include + include + include + include include include - include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 65793364d..58ba493cc 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,16 +11,14 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include include include - include include include - include capability dac_override, capability dac_read_search, @@ -59,6 +57,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, + /usr/share/mime/mime.cache r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, @@ -78,6 +77,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, @@ -134,6 +134,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index ad324e153..67b625d62 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,7 +11,6 @@ profile gimp @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 01b491b98..0538f5da0 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -65,7 +65,6 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index d668fbfd2..ff5e12444 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include + include include include include - include include network inet dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index aabde9cef..579536674 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} { include signal receive set=term peer=*//shell, - signal receive set=term peer={,vs}code, + signal receive set=term peer=vscode, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index cfd9f0dac..1e27790df 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,7 +25,6 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim deleted file mode 100644 index 5717837ec..000000000 --- a/apparmor.d/profiles-g-l/grim +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/grim -profile grim @{exec_path} { - include - include - include - - @{exec_path} mr, - - owner @{HOME}/@{int8}_**_grim.png w, - - owner /dev/shm/grim-@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 9b8eca8ee..849599977 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,13 +9,13 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include include + include include - include @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index 7fbe74040..cb459919f 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} flags=(attach_disconnected) { +profile homebank @{exec_path} { include include include diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fd9c3dfa0..ed62f48f1 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include - include include include @@ -27,6 +26,7 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, + /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 093cd7100..7783c8005 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,7 +19,6 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, - @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -31,7 +30,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} rw, + @{run}/issue.d/{,**} r, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy deleted file mode 100644 index ccc0a2b25..000000000 --- a/apparmor.d/profiles-g-l/kdestroy +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/kdestroy -profile kdestroy @{exec_path} { - include - include - - #Allow root to destroy other users' creds cache - capability dac_override, - - @{exec_path} mr, - - #Credentials cache - /tmp/krb5cc_* rwk, - /tmp/tkt* rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 75c536612..2bd8ef6b9 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -72,8 +72,6 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace read peer=@{p_systemd}, - include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init index 7767831a8..b5af4dcc9 100644 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -29,8 +29,6 @@ profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { capability net_admin, - ptrace read peer=@{p_systemd}, - include if exists } diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator index 5f85af3fe..b80a89343 100644 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -27,8 +27,6 @@ profile kdump_mem_estimator @{exec_path} { capability net_admin, - ptrace read peer=@{p_systemd}, - include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index eb17c5355..50606695a 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -31,7 +31,8 @@ profile kernel-postinst-kdump @{exec_path} { / r, - /etc/initramfs-tools/{,**} r, + /etc/initramfs-tools/conf.d/{,**} r, + /etc/initramfs-tools/initramfs.conf r, owner /var/lib/kdump/** rw, @@ -48,11 +49,6 @@ profile kernel-postinst-kdump @{exec_path} { include include - @{sys}/module/*/ r, - @{sys}/module/*/coresize r, - @{sys}/module/*/holders/ r, - @{sys}/module/*/refcnt r, - include if exists } diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index d9d556879..758ead716 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,8 +10,10 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include + include include include + include include include diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit deleted file mode 100644 index 706a11c10..000000000 --- a/apparmor.d/profiles-g-l/kinit +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/kinit -profile kinit @{exec_path} { - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - #User keytab file - /var/lib/krb5/user/@{uid}/client.keytab r, - - #Credentials cache - /tmp/krb5cc_* rwk, - /tmp/tkt* rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist deleted file mode 100644 index f21f34295..000000000 --- a/apparmor.d/profiles-g-l/klist +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/klist -profile klist @{exec_path} { - include - include - - #Allow root to list other users' creds cache - capability dac_override, - capability dac_read_search, - - @{exec_path} mr, - - #User keytab file - /var/lib/krb5/user/@{uid}/client.keytab rk, - - #Credentials cache - /tmp/krb5cc_* rk, - /tmp/tkt* rk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 47cbb22a2..2370271ec 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7e4feed45..0a9e6dfc2 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,20 +11,22 @@ include profile libreoffice @{exec_path} { include include - include + include include include + include + include include - include - include - include + include + include + include + include include include include include include include - include include include include @@ -75,24 +77,21 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, - /etc/cups/ppd/*.ppd r, /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/papersize r, /etc/paperspecs r, + /etc/papersize r, /etc/xdg/* r, /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, - - owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/plasma_workspace.notifyrc r, owner @{user_config_dirs}/soffice.*.lock rwk, - owner @{user_config_dirs}/soffice.binrc r, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, @@ -108,7 +107,6 @@ profile libreoffice @{exec_path} { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index f2895299f..04d2f0330 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -16,8 +16,6 @@ profile linux-check-removal @{exec_path} { @{bin}/stty rix, - /etc/shadow r, - include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 781a01a27..0dee9ed6a 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -80,8 +80,6 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace read peer=@{p_systemd}, - dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=KillUnit diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index 5214632dc..d2d52d362 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -30,16 +30,10 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { #aa:only apt @{bin}/dpkg-query px, - @{etc_ro}/ r, - @{etc_ro}/*-release r, - @{etc_ro}/lsb-release r, - @{etc_ro}/lsb-release.d/{,*} r, - - # file_inherit - deny /opt/*/** r, - deny owner @{user_config_dirs}/*/** r, - deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + /etc/ r, + /etc/*-release r, + /etc/lsb-release r, + /etc/lsb-release.d/{,*} r, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 89a57310f..cae5c1c3d 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -10,7 +10,6 @@ include profile initramfs-hooks @{exec_path} { include include - include include @{exec_path} mr, @@ -38,9 +37,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/ r, @{lib}/** mr, - /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, + /usr/share/cryptsetup/initramfs/{,**} r, /etc/console-setup/{,**} r, /etc/cryptsetup-initramfs/{,**} r, @@ -69,7 +68,6 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, @@ -82,9 +80,8 @@ profile initramfs-hooks @{exec_path} { include include + @{bin}/ldd mr, @{bin}/* mr, - @{sbin}/* mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/ld-linux.so* mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index b0397eb8d..15adcb9e6 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Alexandre Pujol -# Copyright (C) 2025 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,30 +7,18 @@ abi , include @{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} flags=(attach_disconnected) { +profile mdadm @{exec_path} { include include include - capability dac_read_search, capability sys_admin, - capability mknod, - capability net_admin, - - network netlink raw, mqueue (read getattr) type=posix /, @{exec_path} mr, - @{sh_path} rix, - @{sbin}/sendmail rPUx, - - /etc/{,mdadm/}mdadm.conf r, - /etc/{,mdadm/}mdadm.conf.d/* r, - @{run}/initctl r, - @{run}/mdadm/* rwk, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, @@ -39,17 +26,13 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/vendor r, - @{sys}/devices/virtual/block/md*/** rw, - @{sys}/module/md_mod/** rw, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/kcore r, @{PROC}/partitions r, - @{PROC}/mdstat rw, /dev/**/ r, - /dev/.tmp.md.* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 408947c83..906dcf512 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -19,6 +19,8 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, + @{PROC}/@{pids}/maps r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 32950dbc4..91d021fae 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,14 +10,23 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include include @{exec_path} r, + /usr/share/mime/**.xml r, + /usr/share/mime/globs r, + /usr/share/mime/aliases r, + /usr/share/mime/magic r, + # To read files owner /** r, #aa:lint ignore=too-wide + owner @{user_share_dirs}/mime/**.xml r, + owner @{user_share_dirs}/mime/globs r, + owner @{user_share_dirs}/mime/aliases r, + owner @{user_share_dirs}/mime/magic r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index bf6c55093..b8e79c0dc 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include - include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index d94e5aa44..c6caf364f 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -33,7 +33,6 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, - @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -57,9 +56,10 @@ profile mkinitramfs @{exec_path} { @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, - @{lib}/dracut/dracut-install rix, @{sbin}/blkid rPx, + @{lib}/dracut/dracut-install rix, + @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @@ -113,16 +113,11 @@ profile mkinitramfs @{exec_path} { @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, - @{sys}/devices/ r, - @{sys}/devices/**/ r, - @{sys}/devices/**/modalias r, - @{sys}/devices/**/uevent r, + @{sys}/devices/platform/ r, + @{sys}/devices/platform/**/ r, + @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, - @{sys}/class/ r, - @{sys}/class/*/ r, - - @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @@ -134,14 +129,17 @@ profile mkinitramfs @{exec_path} { include include - @{sh_path} rix, + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mr, + @{lib}/ld-linux.so* mr, + + @{sh_path} rix, + @{bin}/kmod mr, + @{lib}/initramfs-tools/bin/* mr, + @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, - @{bin}/* mr, - @{sbin}/* mr, - @{lib}/** mr, - include if exists } @@ -162,6 +160,26 @@ profile mkinitramfs @{exec_path} { include if exists } + profile find { + include + include + + @{bin}/find mr, + + # pwd dir + / r, + /etc/ r, + /root/ r, + + /usr/share/initramfs-tools/scripts/{,**/} r, + /etc/initramfs-tools/scripts/{,**/} r, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, + owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, + + include if exists + } + profile kmod { include include diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi deleted file mode 100644 index f6489a501..000000000 --- a/apparmor.d/profiles-m-r/mkosi +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is large on purpose: -# - It is required to have a profile for mkosi to allow userns. -# - Mkosi uses a lot of different binaries and scripts inside sandbox. -# - Using the unconfined flag would Pix everything, we do not want that as the -# transitioned profile would have to account for mkosi paths too. - -abi , - -include - -@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi -profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - - all, - userns, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 3a5dfffb6..2f31aea79 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -11,7 +11,8 @@ profile mpris-proxy @{exec_path} { include include include - include + include + include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 dbus receive bus=session path=/ diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index e0bd8d976..2065dd814 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index a09008ac3..8c908ddb4 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -56,12 +56,10 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /tmp/@{word10}/ rw, @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 893770a4b..771bbb3b6 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -33,6 +33,8 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index eb42bd59b..1d6d62e2b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -26,6 +26,8 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index fc51b5b9e..d0553d186 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -54,6 +54,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index d283466f5..7b11aaac5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index e5b54c34e..19f6a515e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include - include #aa:only apt include include include include + include #aa:only apt include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index b60d929e2..f4a61b07b 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -11,8 +11,8 @@ profile pinentry-gnome3 @{exec_path} { include include include + include include - include signal receive set=int, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index d775cafe5..989f6ec8b 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,10 +9,11 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include - include @{exec_path} mr, + /etc/{,opensc/}opensc.conf r, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index e4e923159..178bf28c6 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include + include include - include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 8a6a2982e..0ac23267b 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -16,8 +16,9 @@ include @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* profile protonmail @{exec_path} flags=(attach_disconnected) { include + include + include include - include network inet stream, network inet dgram, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index a9bd819e3..ca9680aea 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -33,7 +33,6 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { /etc/lsb-release r, /etc/machine-id r, - /etc/os-release r, owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 105264ec2..c308dcd91 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include @@ -32,8 +32,8 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { profile dpkg { include - include include + include capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e0d430443..5d9cba087 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,8 +10,10 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include + include include include + include include include include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index f8fd84d3f..5173c50d8 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin +@{exec_path} = @{sbin}/qemu-ga profile qemu-ga @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 80e58fd7c..c2bc95465 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,19 +10,21 @@ include profile remmina @{exec_path} { include include - include + include include include + include + include include - include + include + include + include include include include include include include - include - include include include include diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 2e548d40c..ebbf0a5ab 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -12,7 +12,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_read_search, capability net_admin, @@ -25,6 +24,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, + /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index c5e5ac051..ede981f58 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -45,7 +45,6 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 3e6791ddc..acdad5640 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,7 +10,9 @@ include profile rustdesk @{exec_path} { include include + include include + include include include include diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index e6c231df3..38336fbc7 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include include diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index a4fdbac88..ef007a32c 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include - include capability dac_read_search, capability linux_immutable, @@ -35,6 +34,9 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + /dev/pts/@{int} rw, + /dev/tpmrm@{int} rw, + # File Inherit deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4fd9dff69..dc190b787 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -16,9 +16,10 @@ include profile session-desktop @{exec_path} { include include + include + include include include - include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 53f3d20b1..bf0740919 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -17,13 +17,11 @@ include profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include - include + include + include include - include include include - include - include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index a005708db..f79b284fb 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/simple-scan profile simple-scan @{exec_path} { include + include + include include include include diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp deleted file mode 100644 index 740af9b7b..000000000 --- a/apparmor.d/profiles-s-z/slurp +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/slurp -profile slurp @{exec_path} { - include - include - include - - @{exec_path} mr, - - /usr/share/icons/{,**} r, - - # often used in combination with grim screen cature tool - owner /dev/shm/grim-@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker new file mode 100644 index 000000000..6e5af1288 --- /dev/null +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -0,0 +1,186 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} +profile spectre-meltdown-checker @{exec_path} { + include + include + + # Needed to read the /dev/cpu/@{int}/msr device + capability sys_rawio, + + # Needed to read system logs + capability syslog, + + # Used by readlink + capability sys_ptrace, + ptrace (read), + + @{exec_path} r, + + @{bin}/ r, + @{bin}/{,@{multiarch}-}objdump rix, + @{bin}/{,@{multiarch}-}readelf rix, + @{bin}/{,@{multiarch}-}strings rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/base64 rix, + @{bin}/basename rix, + @{bin}/bunzip2 rix, + @{bin}/cat rix, + @{bin}/ccache rCx -> ccache, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/dd rix, + @{bin}/dirname rix, + @{bin}/dmesg rix, + @{bin}/find rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/head rix, + @{bin}/id rix, + @{sbin}/iucode_tool rix, + @{bin}/kmod rCx -> kmod, + @{bin}/lzop rix, + @{bin}/mktemp rix, + @{bin}/mount rix, + @{bin}/nproc rix, + @{bin}/od rix, + @{bin}/perl rix, + @{bin}/pgrep rCx -> pgrep, + @{sbin}/rdmsr rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/sort rix, + @{bin}/stat rix, + @{bin}/tail rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/unzip rix, + @{bin}/xargs rix, + @{bin}/xz rix, + @{bin}/zstd rix, + + # To fetch MCE.db from the MCExtractor project + @{bin}/wget rCx -> mcedb, + @{bin}/sqlite3 rCx -> mcedb, + owner @{tmp}/mcedb-* rw, + owner @{tmp}/smc-* rw, + owner @{tmp}/{,smc-}intelfw-*/ rw, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, + + owner @{HOME}/.mcedb rw, + + /tmp/ r, + owner @{tmp}/{config,kernel}-* rw, + + owner /dev/cpu/@{int}/cpuid r, + owner /dev/cpu/@{int}/msr rw, + owner /dev/kmsg r, + + @{efi}/ r, + @{efi}/config r, + @{efi}/System.map-* r, + @{efi}/vmlinuz-* r, + + @{sys}/devices/system/cpu/vulnerabilities/* r, + @{sys}/module/kvm_intel/parameters/ept r, + + @{PROC}/ r, + @{PROC}/config.gz r, + @{PROC}/cmdline r, + @{PROC}/kallsyms r, + @{PROC}/modules r, + + # find and denoise + @{PROC}/@{pids}/{status,exe} r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/*/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # For shell pwd + /root/ r, + /etc/ r, + + profile ccache { + include + + @{bin}/ccache mr, + + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, + + /media/ccache/*/** rw, + + /etc/debian_version r, + + include if exists + } + + profile pgrep { + include + include + + include if exists + } + + profile mcedb { + include + include + include + include + + deny capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + @{bin}/sqlite3 mr, + + /etc/wgetrc r, + owner @{HOME}/.wget-hsts rwk, + owner @{HOME}/.mcedb rw, + + /tmp/ r, + owner @{tmp}/{,smc-}mcedb-* rwk, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + + /usr/share/publicsuffix/public_suffix_list.* r, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + owner @{sys}/module/cpuid/** r, + owner @{sys}/module/msr/** r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 2af3f99ae..c73f5f678 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,19 +9,21 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include + include include include + include include include + include include include include - include - include - include + include include + include + include include - include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -36,6 +38,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 33957504c..95013d8e0 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -11,7 +11,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include - include capability sys_nice, @@ -25,6 +24,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, + /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b04432e39..f245e4312 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,18 +17,20 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include + include + include + include + include include + include + include + include + include include + include include - include include include - include - include - include - include - include network inet dgram, network inet6 dgram, @@ -36,6 +38,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys @@ -45,6 +49,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { member=RetrieveSecret peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mrix, @{sh_path} mr, @@ -52,8 +57,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, - /usr/local/lib/spotify-adblock.so mr, - /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, @@ -67,8 +70,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, - @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f812fc570..73a86672f 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,15 +16,17 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include + include + include include + include + include include include - include - include - include + include + include + include include - include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index fc30c5fd6..e275fb764 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,6 +25,8 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, + @{PROC}/@{pids}/maps r, + include if exists } diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index d504b0c15..83e1b2f45 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -11,7 +11,6 @@ include profile syncthing @{exec_path} { include include - include include include include @@ -27,6 +26,10 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, + /usr/share/mime/{,**} r, + + /etc/mime.types r, + @{HOME}/ r, @{HOME}/** rwk, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e8a2533b9..59c78396d 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -10,7 +10,10 @@ include profile terminator @{exec_path} flags=(attach_disconnected) { include include + include include + include + include include include include diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 4c27ee2ca..b663865e8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index df4258b8c..9b0912bd9 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,7 +21,6 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, - signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @@ -44,11 +43,11 @@ profile tomb @{exec_path} { @{bin}/findmnt rix, @{bin}/getent rix, @{bin}/gettext rix, - @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, + @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -65,7 +64,6 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, - @{sbin}/losetup rix, @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d1e429d45..fc582cae2 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include - include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 9c4a8e673..ad219f1ab 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,13 +9,15 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include + include include + include + include include include include include include - include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 453e0093a..76ec27b68 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,10 +14,8 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, - /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, - @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, include if exists diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index dc2a0d7aa..fe06b32af 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,9 +14,8 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/cp ix, - @{bin}/find ix, @{bin}/install-info Px, + @{bin}/find ix, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl index ddb86b9a2..e398049de 100644 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -9,12 +9,14 @@ include @{exec_path} = @{bin}/v4l2-ctl profile v4l2-ctl @{exec_path} { include - include include - include + include @{exec_path} mr, + /dev/media@{int} rw, + /dev/video@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 92dc977d9..aed85abe3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,18 +12,16 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include include include - include - include - include + include include include include include include include - include include include include @@ -53,6 +51,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, + /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, @@ -103,6 +102,9 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + /dev/media@{int} r, + /dev/video@{int} rw, + # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 05866296d..d572ce9b8 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,10 +11,13 @@ include profile vlc @{exec_path} { include include + include include + include + include + include + include include - include - include include include include @@ -22,11 +25,8 @@ profile vlc @{exec_path} { include include include - include include include - include - include include include @@ -36,6 +36,9 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc + #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + @{exec_path} mrix, @{open_path} rPx -> child-open-help, @@ -82,6 +85,7 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, + /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 0b83e44c8..3606533d7 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -13,10 +13,10 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include + include include include include - include include include include diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index c4de427ff..df049741f 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -33,7 +33,6 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, - deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index a07d6bad1..c29543d6b 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,6 +11,7 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index b72cff3c4..fc6955793 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,14 +9,9 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include - include include include - # wsdd can create its own chroot as a built-in security mechanism. - # This is used by default in the systemd wsdd-server service. - capability sys_chroot, - network inet dgram, network inet stream, network inet6 dgram, @@ -33,8 +28,7 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/wsdd w, - owner @{run}/user/@{uid}/*/wsdd w, + owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 0d6c4d65f..6442fe8b9 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{int}D@{int}[cp] w, + /dev/snd/pcmC@{rand4} rw, include if exists } diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils deleted file mode 100644 index 9fed4fefc..000000000 --- a/apparmor.d/tunables/alias.d/coreutils +++ /dev/null @@ -1,112 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has -# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we -# provide aliases for all the coreutils names to their gnu* counterpart. - - alias /{,usr/}bin/dd -> /usr/bin/gnudd, - alias /{,usr/}bin/tee -> /usr/bin/gnutee, - alias /{,usr/}bin/paste -> /usr/bin/gnupaste, - alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, - alias /{,usr/}bin/env -> /usr/bin/gnuenv, - alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, - alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, - alias /{,usr/}bin/shred -> /usr/bin/gnushred, - alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, - alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, - alias /{,usr/}bin/stty -> /usr/bin/gnustty, - alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, - alias /{,usr/}bin/pr -> /usr/bin/gnupr, - alias /{,usr/}bin/nice -> /usr/bin/gnunice, - alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, - alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, - alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, - alias /{,usr/}bin/logname -> /usr/bin/gnulogname, - alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, - alias /{,usr/}bin/chown -> /usr/bin/gnuchown, - alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, - alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, - alias /{,usr/}bin/true -> /usr/bin/gnutrue, - alias /{,usr/}bin/groups -> /usr/bin/gnugroups, - alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, - alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, - alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, - alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, - alias /{,usr/}bin/rm -> /usr/bin/gnurm, - alias /{,usr/}bin/cat -> /usr/bin/gnucat, - alias /{,usr/}bin/tac -> /usr/bin/gnutac, - alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, - alias /{,usr/}bin/seq -> /usr/bin/gnuseq, - alias /{,usr/}bin/cut -> /usr/bin/gnucut, - alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, - alias /{,usr/}bin/split -> /usr/bin/gnusplit, - alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, - alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, - alias /{,usr/}bin/who -> /usr/bin/gnuwho, - alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, - alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, - alias /{,usr/}bin/ls -> /usr/bin/gnuls, - alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, - alias /{,usr/}bin/arch -> /usr/bin/gnuarch, - alias /{,usr/}bin/head -> /usr/bin/gnuhead, - alias /{,usr/}bin/date -> /usr/bin/gnudate, - alias /{,usr/}bin/wc -> /usr/bin/gnuwc, - alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, - alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, - alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, - alias /{,usr/}bin/du -> /usr/bin/gnudu, - alias /{,usr/}bin/cp -> /usr/bin/gnucp, - alias /{,usr/}bin/tty -> /usr/bin/gnutty, - alias /{,usr/}bin/sync -> /usr/bin/gnusync, - alias /{,usr/}bin/fold -> /usr/bin/gnufold, - alias /{,usr/}bin/users -> /usr/bin/gnuusers, - alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, - alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, - alias /{,usr/}bin/sort -> /usr/bin/gnusort, - alias /{,usr/}bin/[ -> /usr/bin/gnu[, - alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, - alias /{,usr/}bin/od -> /usr/bin/gnuod, - alias /{,usr/}bin/tr -> /usr/bin/gnutr, - alias /{,usr/}bin/join -> /usr/bin/gnujoin, - alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, - alias /{,usr/}bin/false -> /usr/bin/gnufalse, - alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, - alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, - alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, - alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, - alias /{,usr/}bin/factor -> /usr/bin/gnufactor, - alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, - alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, - alias /{,usr/}bin/basename -> /usr/bin/gnubasename, - alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, - alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, - alias /{,usr/}bin/ln -> /usr/bin/gnuln, - alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, - alias /{,usr/}bin/echo -> /usr/bin/gnuecho, - alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, - alias /{,usr/}bin/dir -> /usr/bin/gnudir, - alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, - alias /{,usr/}bin/touch -> /usr/bin/gnutouch, - alias /{,usr/}bin/mv -> /usr/bin/gnumv, - alias /{,usr/}bin/sum -> /usr/bin/gnusum, - alias /{,usr/}bin/stat -> /usr/bin/gnustat, - alias /{,usr/}bin/yes -> /usr/bin/gnuyes, - alias /{,usr/}bin/install -> /usr/bin/gnuinstall, - alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, - alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, - alias /{,usr/}bin/tail -> /usr/bin/gnutail, - alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, - alias /{,usr/}bin/comm -> /usr/bin/gnucomm, - alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, - alias /{,usr/}bin/uname -> /usr/bin/gnuuname, - alias /{,usr/}bin/test -> /usr/bin/gnutest, - alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, - alias /{,usr/}bin/link -> /usr/bin/gnulink, - alias /{,usr/}bin/df -> /usr/bin/gnudf, - alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, - alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, - alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, - alias /{,usr/}bin/id -> /usr/bin/gnuid, - alias /{,usr/}bin/nl -> /usr/bin/gnunl, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index d4fefb0b0..6868ae87a 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,8 +16,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,unconfined} -@{p_dbus_session}={dbus-session,unconfined} +@{p_dbus_system}={dbus-system,dbus-system//&unconfined} +@{p_dbus_session}={dbus-session,dbus-session//&unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @@ -68,12 +68,5 @@ @{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal -# Profiles Patterns -# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution - -# Notification -@{pp_notification}={plasmashell,gjs-console} -@{pp_app_indicator}={plasmashell,gnome-shell} -@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index b29be3f0c..cf8575db0 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,6 +69,7 @@ # Default attachment path when re-attached path disconnected path is ignored. # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}="" +@{att}=/ +alias / -> //, # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 07450efff..885913da3 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,12 +5,11 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ -@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -18,7 +17,6 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ -@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -26,7 +24,6 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ -@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} @@ -34,6 +31,5 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} -@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 455621e5b..62685202f 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -32,9 +32,8 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 - "base-strict", // Use base-strict as base abstraction + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 ) // Matrix of ABI/Apparmor version to integrate with @@ -49,9 +48,6 @@ func init() { case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 - case "questing": - prebuild.ABI = 4 - prebuild.Version = 5.0 } case "debian": diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go new file mode 100644 index 000000000..d3c28f025 --- /dev/null +++ b/cmd/prebuild/main_test.go @@ -0,0 +1,56 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "os" + "os/exec" + "testing" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +func chdirGitRoot() { + cmd := exec.Command("git", "rev-parse", "--show-toplevel") + out, err := cmd.Output() + if err != nil { + panic(err) + } + root := string(out[0 : len(out)-1]) + if err := os.Chdir(root); err != nil { + panic(err) + } +} + +func Test_main(t *testing.T) { + tests := []struct { + name string + dist string + }{ + { + name: "Build for Archlinux", + dist: "arch", + }, + { + name: "Build for Ubuntu", + dist: "ubuntu", + }, + { + name: "Build for Debian", + dist: "debian", + }, + { + name: "Build for OpenSUSE Tumbleweed", + dist: "opensuse", + }, + } + chdirGitRoot() + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + prebuild.Distribution = tt.dist + main() + }) + } +} diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 840f3196b..2f8c90ae0 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,6 +8,8 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service || true +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 840f3196b..2f8c90ae0 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,6 +8,8 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service || true +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 diff --git a/debian/control b/debian/control index 85c4d3786..56ad928ba 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,6 @@ Architecture: any Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 2000 profiles) - apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine - most Linux based applications and processes. +Description: Full set of AppArmor profiles (~ 1500 profiles) + apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine + most Linux based applications and processes. diff --git a/dists/build.sh b/dists/build.sh index e33c48695..9b9f9e765 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -16,7 +16,7 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) diff --git a/dists/docker.sh b/dists/docker.sh index 45191adb8..2e581883c 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -25,7 +25,7 @@ readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" || return 1 + docker start "$img" } _is_running() { @@ -65,7 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar + docker exec "$img" sudo pacman -Syu --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cd9a0e5a6..057c7c298 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -185,7 +185,6 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain -kdestroy complain kdump_mem_estimator complain kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected @@ -194,11 +193,9 @@ kernel-install complain kernel-postinst-kdump complain keyboxd complain kglobalacceld complain -kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain -klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain @@ -233,7 +230,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm attach_disconnected,complain +mdadm complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain @@ -330,7 +327,7 @@ systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recovery attach_disconnected,complain +systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 125575ce1..7339702a2 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -8,7 +8,6 @@ apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain -esm_cache complain fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain diff --git a/dists/overwrite b/dists/overwrite index 70ee1cc41..c8769ba54 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -6,7 +6,6 @@ brave chrome chromium -cockpit-desktop element-desktop epiphany firefox @@ -30,8 +29,8 @@ unix-chkpwd # Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) +# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better fusermount3 lsblk lsusb @@ -39,6 +38,3 @@ openvpn remmina transmission wg-quick -systemd-detect-virt # Missing integration with @{p_systemd} -hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables - diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index cd82f5d21..f1ac6e18e 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -217,14 +217,6 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. -It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: - -!!! note "" - - [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) - ``` sh linenums="24" - @{domain} = org.chromium.Chromium - ``` ### **`common/electron`** @@ -235,7 +227,6 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify - @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/docs/development/build.md b/docs/development/build.md index b767e4e4e..eaa2487a2 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -10,22 +10,18 @@ go run ./cmd/prebuild -h ``` ``` -aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] +aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -s, --server Set AppArmor for server. - -b, --buildir DIR Root build directory. - -F, --file Only prebuild a given file. - --debug Enable debug mode. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -f, --full Set AppArmor for full system policy. + -F, --file Only prebuild a given file. Prepare tasks: configure - Set distribution specificities @@ -35,27 +31,21 @@ Prepare tasks: overwrite - Overwrite dummy upstream profiles synchronise - Initialize a new clean apparmor.d build directory ignore - Ignore profiles and files from: - server - Configure AppArmor for server systemd-default - Configure systemd unit drop in files to a profile for some units systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor - attach - Configure tunable for re-attached path Build tasks: - userspace - Fix: resolve variable in profile attachments - abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 - attach - Feat: re-attach disconnected path - base-strict - Feat: use 'base-strict' as base abstraction - complain - Build: set complain flag on all profiles - debug - Build: debug mode enabled - enforce - Build: all profiles have been enforced - fsp - Feat: prevent unconfined transitions in profile rules - hotfix - Fix: temporary solution for #74, #80 & #235 - stacked-dbus - Fix: resolve peer label variable in dbus rules + abi3 - Convert all profiles from abi 4.0 to abi 3.0 + attach - Re-attach disconnected path + complain - Set complain flag on all profiles + enforce - All profiles have been enforced + fsp - Prevent unconfined transitions in profile rules + hotfix - Temporary fix for #74, #80 & #235 + userspace - Resolve variable in profile attachments Directive: #aa:dbus own bus= name= [interface=AARE] [path=AARE] #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] - #aa:dbus common bus= name= label= #aa:exec [P|U|p|u|PU|pu|] profiles... #aa:only filters... #aa:exclude filters... @@ -76,12 +66,6 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* -### **`server`** - -Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). - -*Enable with the `--server` option in the prebuild command.* - ### **`merge`** Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 379241a49..2585208e5 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,18 +6,11 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [x] **[Play machine](https://github.com/roddhjav/play)** +- [x] **Play machine** -- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - - [x] Move most profiles into groups - - [ ] Provide complain/enforced packages version - - [ ] normal/FSP/server packages variants - -- [ ] **Build system** - - [ ] Continuous release on the main branch, ~2 releases per week - - [ ] Provide packages repo for ubuntu/debian - - [x] Add a `just` target to install the profiles in the right place - - [x] Fully drop the Makefile in favor of `just` +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups such that + - [ ] New simplified build system to generate the packages with profile dependencies check - [ ] **Tests** - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) @@ -29,26 +22,14 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) + - [x] The apt/dpkg profiles needs to be reworked -- [ ] **Abstractions** - - [ ] Document all abstractions - - [ ] Split and reorganize some big abs into set of smaller abstractions. - Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) - - [ ] Abstraction based profiles: - Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). - - [ ] Test new interface like abstractions - - notifications - - audio-bluetooth - - secrets-service - - media-keys - - ... - - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. - - [ ] Rewrite the DE specific abstraction to be a layer 1 abs - -- [ ] **Security improvements** - - [ ] Limit the use of `abstractions/common/systemd` - - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) - - [ ] Revisit the usae of `systemd-tty-ask-password-agent` +- [ ] Build system + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [ ] Provide complain/enforced packages version + - [x] Add a `just` target to install the profiles in the right place + - [x] Fully drop the Makefile in favor of `just` ## Next features @@ -64,16 +45,8 @@ This is the current list of features that must be implemented to get to a stable - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - [x] Remove the `default` profile -- [ ] **Define roles** - - [ ] Unrestricted shell role without FSP enabled - - [ ] Define the roles when FSP is enabled - ## Done -**General improvements** - -- [x] The apt/dpkg profiles has been rewritten - **Abstractions** - [x] New `audio-client` and `audio-server` abstractions diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 7cc7c5616..786d77c93 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -36,7 +36,7 @@ title: Workflow Here is the bare minimum for the program `foo`: ``` sh # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 You +# Copyright (C) 2024 You # SPDX-License-Identifier: GPL-2.0-only abi , @@ -130,7 +130,7 @@ For this individual profile installation to work, the full package needs to be i To discover the access needed by a program, you can use the following tools: -1. Start the program in *complain* mode, let it initialize itself, then close it. +1. Star the program in *complain* mode, let it initialize itself, then close it. 1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - Convert the logs to AppArmor rules. diff --git a/docs/issues.md b/docs/issues.md index 2f38f4c5a..1db3b195a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,19 +6,6 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. -## Ubuntu - -### Dbus - -Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* - -Note: Ubuntu server has been more tested and will work without issues with enforced rules. - -### Snap - -Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. - - ## Complain mode A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: @@ -27,3 +14,20 @@ A profile in *complain* mode cannot break the program it confines. However, ther 2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, 3. If AppArmor does not find the profile to transition `rPx`. +## Pacman "could not get current working directory" + +```sh +$ sudo pacman -Syu +... +error: could not get current working directory +:: Processing package changes... +... +``` + +This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. + +According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. + +This provides a basic protection against some packages (on the AUR) that may have rogue install script. + +[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 1ec5e06b1..d27908129 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -31,9 +31,6 @@ func init() { func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name - if opt.File.HasSuffix("attached/base") { - return profile, nil // Do not re-attach twice - } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" @@ -45,18 +42,17 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { "include ", "include ", ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) profile = strings.ReplaceAll(profile, "include ", "include ", ) } else { - insert = "@{att} = \"\"\n" - + insert = "@{att} = /\n" + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go deleted file mode 100644 index 29a065629..000000000 --- a/pkg/prebuild/builder/base-strict.go +++ /dev/null @@ -1,32 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -type BaseStrict struct { - prebuild.Base -} - -func init() { - RegisterBuilder(&BaseStrict{ - Base: prebuild.Base{ - Keyword: "base-strict", - Msg: "Feat: use 'base-strict' as base abstraction", - }, - }) -} - -func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - return profile, nil -} diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 6bcf74647..06ceb1d28 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -231,80 +231,10 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, - { - name: "stacked-dbus-1", - b: Builders["stacked-dbus"], - profile: ` -profile foo { - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - -}`, - want: ` -profile foo { -dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), -dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), - -}`, - }, - { - name: "base-strict-1", - b: Builders["base-strict"], - profile: ` -profile foo { - include -}`, - want: ` -profile foo { - include -}`, - }, - { - name: "attach-1", - b: Builders["attach"], - profile: ` -profile attach-1 flags=(attach_disconnected) { - include - include - include -}`, - want: ` -@{att} = /att/attach-1/ -profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { - include - include - include -}`, - }, - { - name: "attach-2", - b: Builders["attach"], - profile: ` -profile attach-2 flags=(complain) { - include - include - include -}`, - want: ` -@{att} = "" -profile attach-2 flags=(complain) { - include - include - include -}`, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index eca8122c6..d572e9d31 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -19,7 +19,7 @@ var ( } ) -// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { prebuild.Base } @@ -51,6 +51,7 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { case aa.AbstractionKind, aa.TunableKind: raw = profile } + raw = profile r, par, err := aa.ParseRules(raw) if err != nil { @@ -72,7 +73,7 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { toResolve = append(toResolve, k) } - rulesByParagraph, paragraphs, err := parse(kind, profile) + rulesByParagraph, paragraphs, err := parse(kind, profile) // if err != nil { return "", err } diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index afed5aedf..8abfb4323 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,8 +7,6 @@ package cli import ( "flag" "fmt" - "os" - "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -22,7 +20,7 @@ import ( const ( nilABI = 0 nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. @@ -34,10 +32,8 @@ Options: -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. -f, --full Set AppArmor for full system policy. - -s, --server Set AppArmor for server. - -b, --buildir DIR Root build directory. + -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. - --test Enable test mode. --debug Enable debug mode. ` ) @@ -47,9 +43,7 @@ var ( complain bool enforce bool full bool - server bool debug bool - test bool abi int version float64 file string @@ -61,8 +55,6 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") - flag.BoolVar(&server, "s", false, "Set AppArmor for server.") - flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") @@ -76,7 +68,6 @@ func init() { flag.StringVar(&buildir, "b", "", "Root build directory.") flag.StringVar(&buildir, "buildir", "", "Root build directory.") flag.BoolVar(&debug, "debug", false, "Enable debug mode.") - flag.BoolVar(&test, "test", false, "Enable test mode.") } func Configure() { @@ -90,22 +81,7 @@ func Configure() { flag.Parse() if help { flag.Usage() - os.Exit(0) - } - - if server { - idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) - if idx == -1 { - prepare.Register("server") - } else { - prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) - } - - // Remove hotfix task as it is not needed on server - idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) - if idx != -1 { - prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) - } + return } if full && paths.New("apparmor.d/groups/_full").Exist() { @@ -121,9 +97,6 @@ func Configure() { if debug { builder.Register("debug") } - if test { - prebuild.Test = true - } } else if enforce { builder.Register("enforce") } @@ -145,11 +118,8 @@ func Configure() { builder.Register("stacked-dbus") } else { - if !prebuild.DownStream { - prepare.Register("attach") - } builder.Register("attach") - + prepare.Register("attach") } default: diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 4862597bb..891eb9e1d 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -135,7 +135,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { } res = append(res, - // DBus.Properties: reply to properties request from anyone + // DBus.Properties &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -143,7 +143,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, - // DBus.Introspectable: allow clients to introspect the service + // DBus.Introspectable &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -151,7 +151,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"@{busname}"`, }, - // DBus.ObjectManager: allow clients to enumerate sources + // DBus.ObjectManager &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", @@ -170,14 +170,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - res := aa.Rules{ - &aa.Unix{ - Type: "stream", - Address: "none", - PeerLabel: rules["label"], - PeerAddr: "none", - }, - } + res := aa.Rules{} // Interfaces for _, iface := range interfaces { @@ -205,7 +198,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }, - // DBus.ObjectManager: allow clients to enumerate sources + // DBus.ObjectManager &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index d6e90bb99..0844fd745 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,7 +8,7 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include +const dbusOwnSystemd1 = ` include dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} @@ -73,7 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include + want: ` include dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} @@ -120,9 +120,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), - - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index ac632471b..b6ec56816 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,10 +43,6 @@ func filterRuleForUs(opt *Option) bool { return true } - if prebuild.Test && slices.Contains(opt.ArgList, "test") { - return true - } - abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 486a45d14..37cbc69bc 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,15 +13,9 @@ var ( // AppArmor version Version = 4.0 - // Tells the build we are a downstream project using apparmor.d as dependency - DownStream = false - // Either or not RBAC is enabled RBAC = false - // Either or not we are in test mode - Test = false - // Pkgname is the name of the package Pkgname = "apparmor.d" diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index d9879570b..504f05c1c 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -11,12 +11,9 @@ import ( ) // Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "just", all edit will be lost. +var Hide = `# This file is generated by "make", all edit will be lost. /etc/apparmor.d/usr.bin.firefox -/etc/apparmor.d/usr.bin.swtpm -/etc/apparmor.d/usr.bin.wsdd -/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index 4523382d8..3331c73dc 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -32,6 +32,7 @@ func (p ReAttach) Apply() ([]string, error) { if err != nil { return res, err } - out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) + out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") return res, path.WriteFile([]byte(out)) } diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 9ca3b14d3..a6e954485 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,7 +6,6 @@ package prepare import ( "fmt" - "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -24,15 +23,6 @@ func init() { }) } -func removeFiles(files []string) error { - for _, name := range files { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return err - } - } - return nil -} - func (p Configure) Apply() ([]string, error) { res := []string{} @@ -67,41 +57,20 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version >= 4.1 { + if prebuild.Version == 4.1 { + // Remove files upstreamed in 4.1 remove := []string{ - // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", "abstractions/devices-usb", "abstractions/nameservice-strict", "tunables/multiarch.d/base", - - // Direct upstream contributed profiles, similar to ours - "wg", + "wg", // Upstream version is identical } - if err := removeFiles(remove); err != nil { - return res, err + for _, name := range remove { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return res, err + } } } - if prebuild.Version >= 5.0 { - remove := []string{ - // Direct upstrem contributed profiles, similar to ours - "dig", - "free", - "nslookup", - "who", - } - if err := removeFiles(remove); err != nil { - return res, err - } - - // @{pci_bus} was upstreamed in 5.0 - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") - out, err := path.ReadFileAsString() - if err != nil { - return res, err - } - out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") - return res, path.WriteFile([]byte(out)) - } return res, nil } diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go deleted file mode 100644 index fb9a1f602..000000000 --- a/pkg/prebuild/prepare/server.go +++ /dev/null @@ -1,108 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prepare - -import ( - "fmt" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ( - serverIgnorePatterns = []string{ - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - } - serverIgnoreGroups = []string{ - "akonadi", - "avahi", - "bluetooth", - "browsers", - "cosmic", - "cups", - "display-manager", - "flatpak", - "freedesktop", - "gnome", - "gvfs", - "hyprland", - "kde", - "lxqt", - "steam", - "xfce", - "zed", - } -) - -type Server struct { - prebuild.Base -} - -func init() { - RegisterTask(&Server{ - Base: prebuild.Base{ - Keyword: "server", - Msg: "Configure AppArmor for server", - }, - }) -} - -func (p Server) Apply() ([]string, error) { - res := []string{} - - // Ignore desktop related groups - groupNb := 0 - for _, group := range serverIgnoreGroups { - path := prebuild.RootApparmord.Join("groups", group) - if path.IsDir() { - if err := path.RemoveAll(); err != nil { - return res, err - } - groupNb++ - } else { - res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) - } - } - - // Ignore profiles using a desktop related abstraction - fileNb := 0 - files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := file.ReadFileAsString() - if err != nil { - return res, err - } - for _, pattern := range serverIgnorePatterns { - if strings.Contains(profile, pattern) { - if err := file.RemoveAll(); err != nil { - return res, err - } - fileNb++ - break - } - } - } - - res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) - res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) - return res, nil -} diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service new file mode 100644 index 000000000..9c1fad533 --- /dev/null +++ b/systemd/default/user/at-spi-dbus-bus.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service new file mode 100644 index 000000000..818d5cdf3 --- /dev/null +++ b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ibus-daemon diff --git a/tests/check.sh b/tests/check.sh index b54bc157a..60e23c694 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -11,13 +11,9 @@ set -eu -o pipefail RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) -APPARMORD=${CHECK_APPARMORD:-apparmor.d} -SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled -declare _check_is_disabled_global -_FILE_IGNORE_ALL=false -readonly APPARMORD SBIN_LIST RES MAX_JOBS +readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -46,11 +42,6 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then - if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then - if _in_array "$check" "${_check_is_disabled_global[@]}"; then - return 1 - fi - fi if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi @@ -77,18 +68,10 @@ _ignore_lint() { local checks line="$1" if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block (or file-wide if in header) - checks="${line#*"$_IGNORE_LINT="}" - read -ra _parsed <<<"${checks//,/ }" - if (( line_number <= 10 )); then - # Treat as file-wide ignore - _check_is_disabled_global=("${_parsed[@]}") - _FILE_IGNORE_ALL=true - _IGNORE_LINT_BLOCK=false - return 0 - fi + # Start of an ignore block _IGNORE_LINT_BLOCK=true - _check_is_disabled=("${_parsed[@]}") + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then # New paragraph, end of block @@ -96,33 +79,22 @@ _ignore_lint() { _check_is_disabled=() elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block/paragraph + # Nothing to do, we are in a block return 0 elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore (or file-wide if in header) + # Inline ignore checks="${line#*"$_IGNORE_LINT="}" - read -ra _parsed <<<"${checks//,/ }" - if (( line_number <= 10 )); then - _check_is_disabled_global=("${_parsed[@]}") - _FILE_IGNORE_ALL=true - return 0 - fi - _check_is_disabled=("${_parsed[@]}") + read -ra _check_is_disabled <<<"${checks//,/ }" else - # Do not clear if file-wide ignore is set - if ! $_FILE_IGNORE_ALL; then - _check_is_disabled=() - fi + _check_is_disabled=() fi } _check() { local file="$1" - line_number=0 - _FILE_IGNORE_ALL=false - _check_is_disabled_global=() + local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) @@ -221,7 +193,6 @@ declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" - ["gs"]="gs{,.bin}" ["which"]="which{,.debianutils}" ) _check_equivalent() { @@ -529,14 +500,14 @@ _check_udev() { check_sbin() { local file name jobs - mapfile -t sbin <"$SBIN_LIST" + mapfile -t sbin # SPDX-License-Identifier: GPL-2.0-only -set -eux -o pipefail +set -eux -# shellcheck source=/dev/null -source /etc/os-release || exit 1 +_lsb_release() { + # shellcheck source=/dev/null + . /etc/os-release + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" readonly SRC=/tmp/ +readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" @@ -19,26 +24,30 @@ main() { install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$ID" in + case "$DISTRIBUTION" in arch) rm -f $SRC/*.sig # Ignore signature files - rm -f $SRC/*enforced* # Ignore enforced package - pacman --noconfirm -U $SRC/*.pkg.tar.zst || true + pacman --noconfirm -U $SRC/*.pkg.tar.zst ;; debian | ubuntu) - # Do not install apparmor.d on the current development version - if [[ $VERSION_ID != "25.10" ]]; then - dpkg -i $SRC/*.deb || true - fi + apt install -y apparmor-profiles + dpkg -i $SRC/*.deb || true ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm || true + rpm -i $SRC/*.rpm ;; esac + + verb="start" + rm -rf /var/cache/apparmor/* || true + if systemctl is-active -q apparmor; then + verb="reload" + fi + systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 2580556fd..27e05bf80 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,6 +8,7 @@ for nb in $(seq "$1"); do done } +alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear'