From 2fcf4c50119de50de5498f30ee7a7a2aff9b5cd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:38:15 +0200 Subject: [PATCH 001/184] ci(github): remove test now enabled by default. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9f2addf88..90b709a31 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,11 +47,6 @@ jobs: if [[ ${{ matrix.mode }} == full-system-policy ]]; then sed -e "s/just complain/just fsp-complain/" -i debian/rules fi - if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then - # Test with Re-attach disconnected path - sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go - sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system - fi bash dists/build.sh dpkg - name: Install apparmor.d From bc270954d49993374b14bc2af6b89bb37d7d45ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:53:12 +0200 Subject: [PATCH 002/184] feat(abs): add missing bus abs. --- .../bus/org.gnome.SettingsDaemon.MediaKeys | 23 ++++++++++++++++ .../bus/org.gnome.keyring.internal.Prompter | 26 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys create mode 100644 apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 000000000..3a461a85a --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 000000000..1c3e8f760 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor From 068d205e13b333f077371bd4af37637902f29e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:02:12 +0200 Subject: [PATCH 003/184] fix(prebuild): removce ineffectual assignment. --- pkg/prebuild/builder/stacked-dbus.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index d572e9d31..33af33df7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -51,7 +51,6 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { case aa.AbstractionKind, aa.TunableKind: raw = profile } - raw = profile r, par, err := aa.ParseRules(raw) if err != nil { From 7ecc84d3b0e13f5d346a906dceda14321fddae1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:04:15 +0200 Subject: [PATCH 004/184] feat(tunable): add pp tunable, improve dbus tunables. --- apparmor.d/tunables/multiarch.d/profiles | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 6868ae87a..d4fefb0b0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,8 +16,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,dbus-system//&unconfined} -@{p_dbus_session}={dbus-session,dbus-session//&unconfined} +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @@ -68,5 +68,12 @@ @{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor From 1d51b1436da8c64232cebe31317bdbebc870bded Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:08:52 +0200 Subject: [PATCH 005/184] Small documentation improvements --- docs/development/workflow.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 786d77c93..7cc7c5616 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -36,7 +36,7 @@ title: Workflow Here is the bare minimum for the program `foo`: ``` sh # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 You +# Copyright (C) 2025 You # SPDX-License-Identifier: GPL-2.0-only abi , @@ -130,7 +130,7 @@ For this individual profile installation to work, the full package needs to be i To discover the access needed by a program, you can use the following tools: -1. Star the program in *complain* mode, let it initialize itself, then close it. +1. Start the program in *complain* mode, let it initialize itself, then close it. 1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - Convert the logs to AppArmor rules. From 98034784e92400fd2241094f5ca8d85104f8b2f7 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:02:10 +0200 Subject: [PATCH 006/184] Add cider profile --- apparmor.d/profiles-a-f/cider | 61 +++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cider diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 000000000..f534a0034 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,61 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider + +@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rpx, + + @{bin}/xdg-settings rpx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + /usr/share/xkeyboard-config-2/** r, + + include if exists +} + +# vim:syntax=apparmor From f5970fcc6741419ea96ef5c9c36a321da532e127 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:12:18 +0200 Subject: [PATCH 007/184] Remove tabs --- apparmor.d/profiles-a-f/cider | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index f534a0034..71b27bce5 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -42,11 +42,11 @@ profile cider @{exec_path} { owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, From eedbc2223c1bc84e2e12deb2fd1e041422c5994d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:52:00 +0200 Subject: [PATCH 008/184] cider-review-fixes --- apparmor.d/profiles-a-f/cider | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 71b27bce5..2b203e989 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -6,10 +6,13 @@ abi , include +@{name} = {C,c}ider sh.cider.genten @{domain} = sh.cider.genten org.chromium.Chromium @{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} -@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include include @@ -18,8 +21,9 @@ profile cider @{exec_path} { include include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,15 +36,13 @@ profile cider @{exec_path} { @{lib_dirs}/ r, @{lib_dirs}/** r, @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rpx, + @{lib_dirs}/chrome-sandbox rPx, - @{bin}/xdg-settings rpx, + @{bin}/xdg-settings rPx, owner @{user_config_dirs}/sh.cider.genten/ rw, owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, @{PROC}/ r, @{PROC}/@{pid}/stat r, @@ -53,8 +55,6 @@ profile cider @{exec_path} { owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/statm r, - /usr/share/xkeyboard-config-2/** r, - include if exists } From aec7d41a25647f9da3f0b13ddbe53d048bec3ee2 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:03:31 +0200 Subject: [PATCH 009/184] add profiles for wayland screen capture tools --- apparmor.d/profiles-g-l/grim | 21 +++++++++++++++++++++ apparmor.d/profiles-s-z/slurp | 23 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-g-l/grim create mode 100644 apparmor.d/profiles-s-z/slurp diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 000000000..0ded3d315 --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + + @{exec_path} mr, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 000000000..8d5bcc217 --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + +# often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 06f1c0538e9bca4ac1af6862c4553931b33ad108 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:15:04 +0200 Subject: [PATCH 010/184] remove whitespace --- apparmor.d/profiles-s-z/slurp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index 8d5bcc217..c4250275e 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,12 +9,12 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include - + @{exec_path} mr, /usr/share/icons/{,**} r, -# often used in combination with grim screen cature tool + # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, include if exists From 9a302147bd3b2d6f02d715bcaa0e645f1680295b Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:26:43 +0200 Subject: [PATCH 011/184] fix typo --- apparmor.d/profiles-g-l/grim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 0ded3d315..9f18db07b 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include - include + include @{exec_path} mr, From ec2c0b1c8e34273069a86caf5b7af3444d4a8e7c Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 24 Aug 2025 17:32:04 +0200 Subject: [PATCH 012/184] add default path for plain use --- apparmor.d/profiles-g-l/grim | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9f18db07b..9e40a8aca 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -13,6 +13,10 @@ profile grim @{exec_path} { @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + + owner @{HOME}/@{int8}_**_grim.png w, + owner /dev/shm/grim-@{rand6} rw, include if exists From 749ae318fca8bc9a8bed97bedeb883a326d95c13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:35:35 +0200 Subject: [PATCH 013/184] feat(profile): aa uses word8 as bug files. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index 1743fd9d0..1f8368045 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 7cb64af80..07706d052 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -45,7 +45,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 68729b7fe..7308a5ef0 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, From cf96e7b1d0d37d050fba5a0e758190dc2059443f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:39:28 +0200 Subject: [PATCH 014/184] feat(profile): smal snap improvements. --- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/snap/snap-update-ns | 5 +++++ apparmor.d/groups/snap/snapd | 7 ++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b7706ccf4..b34d18c00 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -294,7 +294,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 157651ac3..98ee0e5e7 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -40,11 +40,16 @@ profile snap-update-ns @{exec_path} { / r, /tmp/ r, + @{lib}/ r, /usr/ r, /usr/local/ r, /usr/local/share/ r, /usr/local/share/doc/ rw, /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 7e2c288b6..06de56063 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -99,7 +99,8 @@ profile snapd @{exec_path} { /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy r, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -147,6 +148,7 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, @@ -227,6 +229,9 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, + @{bin}/tar ix, + + owner @{HOME}/snap/*/common/.cache/{,**} r, include if exists } From 81d020173d4f0336a95cc6562c161336685abb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:09:09 +0200 Subject: [PATCH 015/184] feat(profile): general update. --- apparmor.d/groups/bus/dbus-accessibility | 6 +++--- apparmor.d/groups/children/child-open-strict | 2 ++ apparmor.d/groups/gnome/gnome-software | 7 ++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/papers | 4 +++- apparmor.d/groups/gpg/gpg | 3 ++- apparmor.d/groups/pacman/paccache | 3 +++ apparmor.d/groups/pacman/pacman-hook-code | 1 + .../systemd-generator-user-autostart | 3 +-- apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/usb/lsusb | 1 + apparmor.d/groups/utils/dmesg | 1 + apparmor.d/groups/utils/lsblk | 1 + apparmor.d/groups/virt/cockpit-bridge | 5 +++++ apparmor.d/groups/virt/cockpit-session | 4 +++- apparmor.d/groups/virt/libvirt-dbus | 5 +++++ apparmor.d/groups/virt/libvirtd | 7 +++++++ apparmor.d/profiles-a-f/borg | 1 + apparmor.d/profiles-a-f/btop | 2 +- apparmor.d/profiles-a-f/console-setup | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 6 +++--- apparmor.d/profiles-g-l/gitstatusd | 4 ++-- apparmor.d/profiles-g-l/homebank | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-g-l/linux-check-removal | 2 ++ apparmor.d/profiles-g-l/lsb-release | 14 ++++++++++---- apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mdadm | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 1 + apparmor.d/profiles-s-z/spotify | 4 ++++ apparmor.d/profiles-s-z/syncthing | 5 +---- apparmor.d/profiles-s-z/tomb | 4 +++- apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/virt-manager | 1 - apparmor.d/profiles-s-z/wemeet | 2 +- apparmor.d/profiles-s-z/which | 1 + 40 files changed, 89 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index f876d1210..a8c13b3fd 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include include network inet dgram, @@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 7faf52185..4296f03af 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { @{browsers_path} Px, @{file_explorers_path} Px, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71141595b..f3845daef 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -33,7 +33,12 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 398b2b679..cabcca062 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=loupe//bwrap, + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" dbus send bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad6bb7b5..d8e7c3341 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 9a22e3de8..0318c7265 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/papers -profile papers @{exec_path} { +profile papers @{exec_path} flags=(attach_disconnected) { include include include @@ -16,6 +16,8 @@ profile papers @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index b65823520..40c23b660 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,7 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, @@ -39,6 +39,7 @@ profile gpg @{exec_path} { /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8331951e7..d68c0b832 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index ee23781f4..3e916efe3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} { @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index 8e3ebb6b3..ff4c74664 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -10,14 +10,13 @@ include profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, @{exec_path} mr, - @{system_share_dirs}/applications/*.desktop r, - @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index d7c61e336..a55bf752d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 62bada2a8..640e48f3f 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, @{att}/@{run}/systemd/notify w, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 440ef4117..af91c7eaa 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rw, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index b5a24940d..a10659292 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -14,6 +14,7 @@ profile lsusb @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 14ace0dea..2976d1316 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 7559e4e48..6fc1d5bb2 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index bf3d48204..d8c71803d 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} { include include include + include + include include + include include include @@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 3fbefadb7..ba51fc8a5 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,6 +10,7 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index f3bbaf019..971cdf55e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{sbin}/libvirtd rPx, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 44d6962f5..f10da1798 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 6d2683ade..544be3be0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -33,6 +33,7 @@ profile borg @{exec_path} { @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 4910629ce..bac8aea75 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -48,7 +48,7 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 7a11e407f..aa0a56648 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -13,7 +13,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/mkdir rix, @{run}/console-setup/ rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 87c2bbaba..2e7723995 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -13,16 +13,16 @@ include @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 579536674..aabde9cef 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} { include signal receive set=term peer=*//shell, - signal receive set=term peer=vscode, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index cb459919f..7fbe74040 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} { +profile homebank @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 2370271ec..47cbb22a2 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 0a9e6dfc2..dfb9361f3 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -27,6 +27,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -107,6 +108,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 04d2f0330..f2895299f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} { @{bin}/stty rix, + /etc/shadow r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index d2d52d362..5214632dc 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { #aa:only apt @{bin}/dpkg-query px, - /etc/ r, - /etc/*-release r, - /etc/lsb-release r, - /etc/lsb-release.d/{,*} r, + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index cae5c1c3d..136536764 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -68,6 +68,7 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 15adcb9e6..4cc5fc9fb 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} { +profile mdadm @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ca9680aea..a9bd819e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f245e4312..ed1ccfe1c 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -57,6 +57,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, @@ -70,6 +72,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 83e1b2f45..d504b0c15 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -11,6 +11,7 @@ include profile syncthing @{exec_path} { include include + include include include include @@ -26,10 +27,6 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - @{HOME}/ r, @{HOME}/** rwk, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 9b0912bd9..df4258b8c 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,6 +21,7 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @@ -43,11 +44,11 @@ profile tomb @{exec_path} { @{bin}/findmnt rix, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -64,6 +65,7 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, + @{sbin}/losetup rix, @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 76ec27b68..9c686b19d 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -16,6 +16,7 @@ profile udev-fido_id @{exec_path} { /etc/udev/udev.conf r, @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index aed85abe3..8a1b5f355 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -51,7 +51,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 3606533d7..0b83e44c8 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -13,10 +13,10 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index df049741f..c4de427ff 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists From 4db65834a402444b18a10fc7e43b879dc79f5ff5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:15:42 +0200 Subject: [PATCH 016/184] feat(abs): glibc: restrict auxv maps and statux to owner. --- apparmor.d/abstractions/glibc | 12 +++++++++--- apparmor.d/groups/apt/apt-overlay | 1 - apparmor.d/groups/polkit/polkitd | 3 ++- apparmor.d/groups/procps/ps | 1 + apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-m-r/mdevctl | 2 -- apparmor.d/profiles-s-z/syncoid | 2 -- 8 files changed, 14 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index aa6e14416..8536470bd 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -22,9 +22,15 @@ @{PROC}/stat r, # Glibc's *printf protections read the maps file - @{PROC}/@{pid}/auxv r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, # Glibc statvfs @{PROC}/filesystems r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 4ba9e57d7..7f59635eb 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index c2de7f8b6..fa00311cd 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 1d9ae50cb..7663cbf5d 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index ad3d96990..2765d8f10 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index f10da1798..2b0530ef5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -284,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 906dcf512..408947c83 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -19,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index e275fb764..fc30c5fd6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - @{PROC}/@{pids}/maps r, - include if exists } From 544204e511ce6938fb2da2b9f01d28fd3ce34338 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:22:22 +0200 Subject: [PATCH 017/184] feat(abs): add the user-dirs abstraction. --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/user-dirs | 14 ++++++++++++++ .../groups/freedesktop/xdg-user-dirs-gtk-update | 2 +- apparmor.d/groups/freedesktop/xdg-user-dirs-update | 4 +--- apparmor.d/groups/systemd/systemd-path | 3 +-- apparmor.d/profiles-g-l/grim | 3 +-- apparmor.d/profiles-s-z/spice-vdagent | 8 ++++---- 9 files changed, 25 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/user-dirs diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 4a32a1aa7..1bb4c20ea 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -17,6 +17,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 445c62e6b..72d09126e 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5fbdd7869..02a0bc9c5 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 000000000..189f8eb38 --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index b2ae65450..cf488af63 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -14,13 +14,13 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include + include @{exec_path} mr, @{bin}/xdg-user-dirs-update Px, owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{tmp}/dirs-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 7177703a9..09c66d6ac 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,13 +9,11 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 747527776..0d061d845 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9e40a8aca..5717837ec 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include + include include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - owner @{HOME}/@{int8}_**_grim.png w, owner /dev/shm/grim-@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c73f5f678..158ea6a7f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,10 +19,12 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -38,7 +39,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, From e50e87bd618543d9a638b4512bf8d72b82eb9524 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:14 +0200 Subject: [PATCH 018/184] feat(abs): update base additions. --- apparmor.d/abstractions/base.d/complete | 28 +++++++++++++------------ 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ad3945eb9..d89688b70 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,20 +8,20 @@ signal receive peer=@{p_systemd_user}, # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=pkill, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(hup term) peer=login, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, - ptrace (readby) peer=@{p_systemd_coredump}, + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,4 +30,6 @@ @{PROC}/sys/kernel/core_pattern r, + /apparmor/.null rw, + # vim:syntax=apparmor From 5faca8461df97d62d065ca8a7430405621d39e54 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:59 +0200 Subject: [PATCH 019/184] feat(abs): remove user-dirs from recently-used abs. --- apparmor.d/abstractions/recently-used | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used index d3a7ec289..66a80867b 100644 --- a/apparmor.d/abstractions/recently-used +++ b/apparmor.d/abstractions/recently-used @@ -14,8 +14,6 @@ owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, owner @{user_share_dirs}/recently-used.xbel.lock rwk, - owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? - include if exists # vim:syntax=apparmor From c9813dc34f241e392d055234d754b76a0e803102 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:26:17 +0200 Subject: [PATCH 020/184] feat(abs): improve dbus rules in open & common gnome abs. --- apparmor.d/abstractions/app/open | 3 ++- apparmor.d/abstractions/common/gnome | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 243d18261..3d91de235 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,6 +7,8 @@ abi , + include + include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -30,7 +32,6 @@ include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 056f6581b..f0dd20f47 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -9,6 +9,8 @@ include include include + include + include include include include From 61d8cee932d7671302f786f8f7f2b84d0d057bdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:27:58 +0200 Subject: [PATCH 021/184] feat(profile): ssh: cleanup. --- apparmor.d/groups/ssh/ssh-agent | 1 + apparmor.d/groups/ssh/ssh-keygen | 3 ++- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshfs | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index f6732b1cf..9fc2900b4 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index b55824e58..1b6dd5e98 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -18,7 +18,8 @@ profile ssh-keygen @{exec_path} { /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 63f2c1370..40cf0bca2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -102,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 12e7d8930..ee6a2f903 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{MOUNTS}/*/, mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, From 5d1ef4087741d3acf84fe50b26c5669ade291f10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:55:42 +0200 Subject: [PATCH 022/184] feat(profile): add some missing proc access. Due to recent changes in base-strict. --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/gnome/gdm-generate-config | 7 ++++--- apparmor.d/groups/procps/htop | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 0ec14bea0..f563712ca 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,6 +19,7 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 9d910cdd2..6e67866f5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,9 +42,10 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/stat r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index d59fde5e5..4937f6875 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -105,6 +105,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, From be0d481068929ddd1787bbf8cb16a9cf4619deed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:56:41 +0200 Subject: [PATCH 023/184] feat(profile): remove common/systemd from systemd-detect-virt. --- apparmor.d/groups/systemd/systemd-detect-virt | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 01e49025f..9b78b7c04 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,11 +11,10 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @@ -32,7 +31,14 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, + @{sys}/hypervisor/type r, + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, @{PROC}/xen/capabilities r, /dev/cpu/@{int}/msr r, From 2bb42bfca21bf7b372fccdeb763c33ef0f8875b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:14:12 +0200 Subject: [PATCH 024/184] build: add support for apparmor 5.0 (current master branch) --- dists/overwrite | 3 +++ pkg/prebuild/prepare/configure.go | 35 ++++++++++++++++++++++++------- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index c8769ba54..16f8f4a19 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -38,3 +38,6 @@ openvpn remmina transmission wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index a6e954485..cf16f5b8e 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -23,6 +23,15 @@ func init() { }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} @@ -57,19 +66,31 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version == 4.1 { - // Remove files upstreamed in 4.1 + if prebuild.Version >= 4.1 { remove := []string{ + // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", "abstractions/devices-usb", "abstractions/nameservice-strict", "tunables/multiarch.d/base", - "wg", // Upstream version is identical + + // Direct upstream contributed profiles, similar to ours + "wg", } - for _, name := range remove { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return res, err - } + if err := removeFiles(remove); err != nil { + return res, err + } + } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err } } return res, nil From 57251820e1bafa211deef302d907a21213a1b523 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:48:01 +0200 Subject: [PATCH 025/184] build: improve support for aa 5.0 --- dists/overwrite | 5 +++-- pkg/prebuild/prepare/configure.go | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 16f8f4a19..70ee1cc41 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -6,6 +6,7 @@ brave chrome chromium +cockpit-desktop element-desktop epiphany firefox @@ -29,8 +30,8 @@ unix-chkpwd # Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) fusermount3 lsblk lsusb diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index cf16f5b8e..9ca3b14d3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,6 +6,7 @@ package prepare import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -92,6 +93,15 @@ func (p Configure) Apply() ([]string, error) { if err := removeFiles(remove); err != nil { return res, err } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) } return res, nil } From a3fde24b3deb9ecbd0ddebdf920315b24af46182 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 23:58:39 +0200 Subject: [PATCH 026/184] feat: add aliases for all coreutils. --- apparmor.d/tunables/alias.d/coreutils | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 apparmor.d/tunables/alias.d/coreutils diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 000000000..9fed4fefc --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, From 2bae05d30940d14ad09a86c5b666257e43c17058 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:05:19 +0200 Subject: [PATCH 027/184] feat(abs): add varianttable to apt common. --- apparmor.d/abstractions/common/apt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 5dd8b26bc..a267fd909 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -7,6 +7,7 @@ /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, From 1122f28cacf84e4cfea8796d73d90a0a37b7fb6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:46:40 +0200 Subject: [PATCH 028/184] tests(packer): cleanup package install process. - apparmor restart is handled by the package - it is a dev version, so it could fail. --- tests/packer/init.sh | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index bf75c0e1e..630da6b0f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -27,27 +27,21 @@ main() { case "$DISTRIBUTION" in arch) rm -f $SRC/*.sig # Ignore signature files - pacman --noconfirm -U $SRC/*.pkg.tar.zst + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; debian | ubuntu) - apt install -y apparmor-profiles + apt-get install -y apparmor-profiles dpkg -i $SRC/*.deb || true ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm || true ;; esac - - verb="start" - rm -rf /var/cache/apparmor/* || true - if systemctl is-active -q apparmor; then - verb="reload" - fi - systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" From 94f01c68f696fd858ec65195113cad95f8d514fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:48:11 +0200 Subject: [PATCH 029/184] feat(tunable): update home dir for gdm & add desktop_state_dirs. --- apparmor.d/tunables/multiarch.d/system-users | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3..73a3267a0 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -31,5 +33,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor From b5020eac891099c023aad7e3b51375fbe663e0ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:22:01 +0200 Subject: [PATCH 030/184] tests(packer): remobe sudo alias --- tests/packer/src/.bash_aliases | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80..2580556fd 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' From 0ada92da328c830fddf1550352c02405d89f9ef8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:35:04 +0200 Subject: [PATCH 031/184] refractor(abs): gsettings -> gschemas. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/{gsettings => gschemas} | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/abstractions/{gsettings => gschemas} (88%) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 1bb4c20ea..3bfbcc887 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -11,7 +11,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 72d09126e..4d2d390ee 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gschemas similarity index 88% rename from apparmor.d/abstractions/gsettings rename to apparmor.d/abstractions/gschemas index 4d22f080b..21a4d860c 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gschemas @@ -9,6 +9,6 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 02a0bc9c5..a06a29da4 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index a8c13b3fd..c254fcd2d 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -15,7 +15,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include network inet dgram, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index cf497e39f..982afd90d 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -13,7 +13,7 @@ profile ptyxis-agent @{exec_path} { include include include - include + include include signal send set=hup peer=unconfined, From d6ddbf104cdfc07615b8f32c306d9db766a9ce77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:56:05 +0200 Subject: [PATCH 032/184] refractor(profile): always use the gschemas abstraction. --- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/freedesktop/geoclue | 5 ++--- apparmor.d/groups/gnome/chrome-gnome-shell | 3 +-- apparmor.d/groups/gnome/deja-dup-monitor | 3 +-- apparmor.d/groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 3 +-- apparmor.d/groups/gnome/evolution-source-registry | 3 +-- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gnome-browser-connector-host | 3 +-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 -- apparmor.d/groups/gnome/gsd-a11y-settings | 4 ++-- apparmor.d/groups/gnome/gsd-datetime | 4 ++-- apparmor.d/groups/gnome/gsd-sharing | 4 ++-- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gnome/gsd-usb-protection | 3 +-- apparmor.d/groups/gnome/session-migration | 4 ++-- apparmor.d/groups/gvfs/gvfsd-network | 3 +-- apparmor.d/groups/gvfs/gvfsd-smb-browse | 3 +-- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/profiles-g-l/gsettings | 3 ++- apparmor.d/profiles-m-r/mission-control | 2 +- 22 files changed, 26 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index d110fb83b..df17e0d9f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6332f49e2..fbc7a7582 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include - include include include include include include + include + include include include include @@ -29,8 +30,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 8c6372ba5..944d5e1d5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index ac5d6af81..fcafbda5f 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -17,6 +17,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include network netlink raw, @@ -44,8 +45,6 @@ profile deja-dup-monitor @{exec_path} { @{bin}/ionice rix, @{bin}/deja-dup Px, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c9a9d72c9..b56af123d 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -15,6 +15,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include + include include include include @@ -63,7 +64,6 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index fba734ad4..3d1d00f28 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -14,6 +14,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include @@ -65,8 +66,6 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index a5a1bd414..299d0738b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -13,6 +13,7 @@ profile evolution-source-registry @{exec_path} { include include include + include include include include @@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c..2882c3d9e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 95af09ed6..e95762b6a 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} { @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 2f3e51670..6ddbd4b4c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -35,8 +35,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 5f05c21da..34ce2884d 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0190ad9b3..af1784e68 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 45b3ea1b9..7b47b0676 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -34,7 +35,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index bdacbfd00..98ce848ba 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 871203e6c..2b64ddf06 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include + include signal receive set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2359c9f39..3bfffdb6a 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,13 +11,12 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - include if exists } diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index aeb46f6c0..b31532cae 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include include + include + include include @{exec_path} mr, @@ -21,7 +22,6 @@ profile session-migration @{exec_path} { @{bin}/gsettings rPx, /usr/share/session-migration/scripts/* rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/ w, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 1af0a2b37..46f543fa4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -14,6 +14,7 @@ profile gvfsd-network @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -44,8 +45,6 @@ profile gvfsd-network @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 59d778133..a90cddc50 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -13,6 +13,7 @@ profile gvfsd-smb-browse @{exec_path} { include include include + include include network netlink raw, @@ -35,8 +36,6 @@ profile gvfsd-smb-browse @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 271ff23e4..3d2cbd63d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -117,7 +117,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 849599977..2e0eb2cf7 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b8e79c0dc..bf6c55093 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, From 4f1fddd2fb38dfc5a36bdf0ef32cd815fd380cfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 14:25:43 +0200 Subject: [PATCH 033/184] feat(profile): use natural transition instead of systemd drop in config when possible. As we can transition to the good profile naturally, do not use systemd for it. This bypass the apparmor error: `change_profile unprivileged unconfined converted to stacking`. Note: we cannot do the same for dbus-system and dbus-session are they have the same binary. --- systemd/default/user/at-spi-dbus-bus.service | 2 -- systemd/default/user/org.freedesktop.IBus.session.GNOME.service | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 systemd/default/user/at-spi-dbus-bus.service delete mode 100644 systemd/default/user/org.freedesktop.IBus.session.GNOME.service diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad533..000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf3..000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon From f5e2572457acd411e3b0b7ec0f7725e4a64d0f99 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:37:47 +0200 Subject: [PATCH 034/184] feat(profile): cleanup usage of icons abs. --- apparmor.d/groups/freedesktop/xsetroot | 5 +---- apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/hyprland/hyprpaper | 3 +-- apparmor.d/groups/hyprland/hyprpicker | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 1 - apparmor.d/groups/kde/plasmashell | 3 --- apparmor.d/groups/lxqt/lxqt-runner | 1 - 9 files changed, 3 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bc1291ef4..c0ddcb359 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1c35a8ec1..fde43420a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -88,7 +88,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b34d18c00..5eb78d8bb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -187,7 +187,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 3cb8dca92..6d0674d9f 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/icons/** r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index a46d53f4c..7becc5fb6 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include + include @{exec_path} mr, @{bin}/wl-copy Px, - /usr/share/icons/** r, - owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 4b1e734ed..b70d50666 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,8 +24,6 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cf9646051..4560427ad 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,7 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, /usr/share/mime/{,**} r, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e767d7bb5..45f0d43e9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -77,9 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker - /opt/**/share/icons/{,**} r, - /opt/*/**/*.desktop r, - /opt/*/**/*.png r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 9477c1bda..5783c1fa0 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -14,7 +14,6 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, - /usr/share/icons/ r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, From ac6eac13334224bc5c0273fcef673e6bcbf41a1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:47:07 +0200 Subject: [PATCH 035/184] feat(profile): cleanup usage of mime abs. --- apparmor.d/groups/flatpak/flatpak-portal | 5 +---- apparmor.d/groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/freedesktop/colord | 4 +--- apparmor.d/groups/gnome/gnome-photos-thumbnailer | 3 +-- apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer | 3 +-- apparmor.d/groups/gvfs/gvfsd-admin | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 2 -- apparmor.d/groups/kde/startplasma | 2 -- apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/lxqt/startlxqt | 1 - apparmor.d/groups/virt/cni-calico | 3 +-- apparmor.d/groups/virt/k3s | 1 - apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/evince-thumbnailer | 2 +- apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-g-l/hugo | 2 +- apparmor.d/profiles-m-r/mimetype | 11 +---------- 18 files changed, 12 insertions(+), 40 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index b86f0a4fd..fdbdb9189 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -32,11 +33,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner /att/**/ r, owner @{att}/.flatpak-info r, @@ -44,7 +42,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 1381a1483..0ca01d01d 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} { include include include + include include include include @@ -42,7 +43,6 @@ profile flatpak-system-helper @{exec_path} { /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, - /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 81d0c9f6b..b3cda6307 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -31,11 +32,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 0182e9dad..31d9b7987 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 51d5b43cf..56e448fd8 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index e1b16cac3..44248cbe3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include include capability chown, @@ -20,8 +21,6 @@ profile gvfsd-admin @{exec_path} { @{exec_path} mr, - /usr/share/mime/mime.cache r, - #aa:lint ignore=too-wide # Full access to system's data, but no write access to sensitive system directories / r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index b70d50666..8258d1bde 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -29,8 +29,6 @@ profile kaccess @{exec_path} { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 4560427ad..571581059 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,8 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/mime/{,**} r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 5db93719c..a8c8cbd13 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -48,8 +48,6 @@ profile startplasma @{exec_path} { /etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasmarc r, - /var/lib/flatpak/exports/share/mime/ r, - @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 3a4a6cd61..085b444b1 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -47,7 +47,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, - /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index a708e2336..3ae907116 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,7 +31,6 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, - /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a6c9149d2..9015d2157 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - /usr/share/mime/globs2 r, - @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 2142e28b9..59c4b9473 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 2b0530ef5..23e8e20d1 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -23,6 +23,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -141,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 95fdba512..6fbabaf28 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 58ba493cc..d7a72c236 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,6 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include include include @@ -57,7 +58,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, - /usr/share/mime/mime.cache r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, @@ -77,7 +77,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ed62f48f1..fd9c3dfa0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 91d021fae..1576050b5 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -11,22 +11,13 @@ include profile mimetype @{exec_path} { include include + include @{exec_path} r, - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - # To read files owner /** r, #aa:lint ignore=too-wide - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, - include if exists } From 45faf0eee06759b5a9213f65f51519b377a2a1ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:57:09 +0200 Subject: [PATCH 036/184] fix(tunable): add missing lightdm_state_dirs tunable. --- apparmor.d/tunables/multiarch.d/system-users | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 73a3267a0..1513aae2f 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -26,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} From a3426fef8cedc0a5b46a6184b2309d40598ecb30 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:23:48 +0200 Subject: [PATCH 037/184] feat: precise nvidia devices number. --- apparmor.d/abstractions/nvidia-strict | 2 +- apparmor.d/abstractions/nvidia.d/complete | 2 +- apparmor.d/groups/children/child-modprobe-nvidia | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index c3aa8e805..a7529eb9a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -35,7 +35,7 @@ owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{int} w, # Nvidia graphics devices + /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset rw, /dev/nvidia@{int} rw, /dev/nvidiactl rw, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d..e00385efd 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 61191fe9d..8e991cee7 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -41,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, From 9ee26050261c69e4f0654ec0e87e6d26d958b8e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:29:11 +0200 Subject: [PATCH 038/184] tests(packer): simplify pkg install script. --- tests/packer/init.sh | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 630da6b0f..44a86220f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,16 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eux +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" +# shellcheck source=/dev/null +source /etc/os-release || exit 1 readonly SRC=/tmp/ -readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" @@ -24,7 +19,7 @@ main() { install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in + case "$ID" in arch) rm -f $SRC/*.sig # Ignore signature files rm -f $SRC/*enforced* # Ignore enforced package @@ -32,8 +27,10 @@ main() { ;; debian | ubuntu) - apt-get install -y apparmor-profiles - dpkg -i $SRC/*.deb || true + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) From 9a4d878557b814fbeac1c3636b3cfb29550aa24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:38:00 +0200 Subject: [PATCH 039/184] refractor(abs): add screensaver abs, move bus screensaver abs. --- apparmor.d/abstractions/app/chromium | 3 +-- .../abstractions/bus/org.gnome.ScreenSaver | 21 --------------- .../bus/session/org.freedesktop.ScreenSaver | 26 +++++++++++++++++++ .../org.gnome.ScreenSaver} | 12 +++++---- apparmor.d/abstractions/screensaver | 14 ++++++++++ apparmor.d/groups/gnome/gnome-session-binary | 4 +-- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/element-desktop | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-m-r/pinentry-gnome3 | 2 +- apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/totem | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 15 files changed, 59 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.ScreenSaver create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver rename apparmor.d/abstractions/bus/{org.freedesktop.ScreenSaver => session/org.gnome.ScreenSaver} (51%) create mode 100644 apparmor.d/abstractions/screensaver diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 8f991c230..dad131d64 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,11 +26,9 @@ include include include - include include include include - include include include include @@ -40,6 +38,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index 46d1a1006..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name="@{busname}", label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..ee837b886 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver similarity index 51% rename from apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver rename to apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index f73768e9f..27c456637 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow checking status, activating and locking the screensaver (GNOME version) + abi , - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} peer=(name=@{busname}, label=gjs-console), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 000000000..1a9369091 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 447c030d6..b011935ae 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,13 +14,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include - include + include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 379f7b814..39cf990ca 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -23,7 +23,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 3b34d5055..e12c25b9d 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -18,9 +18,9 @@ profile discord @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index ec7ee9c65..f87486af3 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -18,10 +18,10 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 95e37b4d6..958f9b5ee 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -18,10 +18,10 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f4a61b07b..b60d929e2 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -11,8 +11,8 @@ profile pinentry-gnome3 @{exec_path} { include include include - include include + include signal receive set=int, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index bf0740919..d91285558 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -18,10 +18,10 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ed1ccfe1c..659d650fe 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -22,7 +22,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index fc582cae2..d8b464956 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index d572ce9b8..ccf1abb61 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -27,6 +26,7 @@ profile vlc @{exec_path} { include include include + include include include From 5cc5a019d4b875ebb283b31848bf9413a8d8e76d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:40:42 +0200 Subject: [PATCH 040/184] feat(profile): snap: add support for dev version. --- apparmor.d/groups/snap/snap | 4 ++-- apparmor.d/groups/snap/snap-discard-ns | 2 +- apparmor.d/groups/snap/snap-failure | 2 +- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 ++-- apparmor.d/groups/snap/snapd-aa-prompt-listener | 2 +- apparmor.d/groups/snap/snapd-aa-prompt-ui | 2 +- apparmor.d/groups/snap/snapd-apparmor | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 927d7a3da..0d38fc055 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns index 38396f3eb..0ccb3f1c7 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index edc9845e8..bed3a2d12 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 2a14fd583..90c1724be 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 98ee0e5e7..e831cc90c 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 06de56063..4a928e6d4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener index 7b9adced7..37730ba6f 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui index 0d26f42d3..99dc98efe 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 63251a976..47b939fa0 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { From 458126e7d7fea79a92b84fef53a455f79b8c0445 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 18:14:32 +0200 Subject: [PATCH 041/184] refractor(profile): add notification abs, move bus notifications. --- apparmor.d/abstractions/app/chromium | 2 +- .../bus/org.freedesktop.Notifications | 26 ------------------- .../bus/session/org.freedesktop.Notifications | 21 +++++++++++++++ .../bus/{ => session}/org.gtk.Notifications | 0 apparmor.d/abstractions/notifications | 12 +++++++++ apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/session-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 4 ++- apparmor.d/profiles-s-z/transmission | 2 +- 16 files changed, 47 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Notifications create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Notifications rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Notifications (100%) create mode 100644 apparmor.d/abstractions/notifications diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dad131d64..f08a096ca 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -38,6 +37,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index 6962bf7ec..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={NotificationClosed,CloseNotification} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 000000000..5c10a9eae --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications similarity index 100% rename from apparmor.d/abstractions/bus/org.gtk.Notifications rename to apparmor.d/abstractions/bus/session/org.gtk.Notifications diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 000000000..8232b54b5 --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 695be9f0d..e47cc66a3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,7 +19,6 @@ profile gnome-extension-ding @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-ding @{exec_path} { include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5eb78d8bb..0876b90d1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,9 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include - include include include include @@ -41,6 +39,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f3845daef..baaac245f 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,11 +13,11 @@ profile gnome-software @{exec_path} { include include include - include include include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 39cf990ca..63ab49c5e 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -30,6 +29,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8e9cddd54..0de63ac64 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,13 +14,13 @@ profile update-notifier @{exec_path} { include include include - include include include include include include include + include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index f40d69799..57487b15c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,11 +16,11 @@ include profile dropbox @{exec_path} { include include - include include include include include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 366c2aed6..78781ba28 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include include include include include include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c2bc95465..17ca1ec5a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index dc190b787..cafccd791 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -17,9 +17,9 @@ profile session-desktop @{exec_path} { include include include - include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 659d650fe..56f5e91b8 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -19,8 +19,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -30,6 +31,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index ad219f1ab..78d67787d 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -12,12 +12,12 @@ profile transmission @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include + include include include include From bd295d2a9d2fe0afc6361ca8528eb531051e9f0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:04 +0200 Subject: [PATCH 042/184] refractor: move gtk dbus to they own abs. --- .../abstractions/bus/session/org.gtk.Actions | 22 +++++++++++++++++++ .../abstractions/bus/session/org.gtk.Settings | 18 +++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 19 ++-------------- 3 files changed, 42 insertions(+), 17 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Actions create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Settings diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 000000000..899f244a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 000000000..9d2dd282a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 99cf70d97..356e97705 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, From bd7ae9bb56badbb168d88dc0de859f59a1ad7344 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:40 +0200 Subject: [PATCH 043/184] chore: improve comment in type definition. --- pkg/prebuild/builder/stacked-dbus.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index 33af33df7..e33ecf4b7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -19,7 +19,7 @@ var ( } ) -// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { prebuild.Base } From eee8241eb7649a302b65f6e840018755dd308b04 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:28:53 +0200 Subject: [PATCH 044/184] chore: cosmetic fixes. --- .../abstractions/bus/session/org.freedesktop.Notifications | 2 +- apparmor.d/abstractions/bus/session/org.gtk.Notifications | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index 5c10a9eae..b51c4bdcb 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -16,6 +16,6 @@ member={ActionInvoked,NotificationClosed,NotificationReplied} peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications index ad1a1ffad..151c642a8 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -11,6 +11,6 @@ member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor From 7eaae9e68c701e24710784c52e9db9fd2d44da87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:25:57 +0200 Subject: [PATCH 045/184] fix(profile): wrong path in abstraction. --- apparmor.d/abstractions/notifications | 4 ++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 5 +++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications index 8232b54b5..81d5cc94c 100644 --- a/apparmor.d/abstractions/notifications +++ b/apparmor.d/abstractions/notifications @@ -4,8 +4,8 @@ abi , - include - include + include + include include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c9585e2ab..92e6c9484 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -17,15 +16,17 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include include include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3f57b3035..22c02a97f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,7 +21,6 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include From 7cfff26ee273fca78aaea077cf63166d4883e2cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:46:52 +0200 Subject: [PATCH 046/184] fix(profile): abstraction not updated. --- apparmor.d/profiles-s-z/superproductivity | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 73a86672f..f7abf758b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,13 +20,13 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include network inet stream, network inet6 stream, From a1ba00bec3e964e11cae0dd94346f8aebdffc188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 23:00:13 +0200 Subject: [PATCH 047/184] feat(profile): general profile update. --- apparmor.d/groups/apparmor/apparmor_parser | 4 ++-- apparmor.d/groups/apt/debconf-frontend | 4 +++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/bluetooth/obexd | 5 +++++ apparmor.d/groups/cron/anacron | 3 +++ apparmor.d/groups/cups/cups-browsed | 4 +++- apparmor.d/groups/flatpak/flatpak | 3 +++ apparmor.d/groups/flatpak/flatpak-system-helper | 8 +++++++- apparmor.d/groups/freedesktop/wireplumber | 8 +++++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 13 +++++++++++++ apparmor.d/groups/gnome/gdm-session | 11 ++++++----- apparmor.d/groups/gnome/gnome-calculator | 1 + apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-session-binary | 5 +++-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 5 +++-- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-usb-protection | 1 + apparmor.d/groups/gnome/gsd-wwan | 7 +++++++ apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/ssh/sshd | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 +++ apparmor.d/groups/systemd/systemd-detect-virt | 3 +++ apparmor.d/groups/systemd/systemd-remount-fs | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 8 ++++++++ apparmor.d/groups/systemd/zram-generator | 8 ++++++-- apparmor.d/groups/ubuntu/apport-gtk | 1 + apparmor.d/groups/utils/who | 2 +- apparmor.d/profiles-a-f/finalrd | 1 + apparmor.d/profiles-g-l/gsettings | 1 - apparmor.d/profiles-g-l/issue-generator | 3 ++- apparmor.d/profiles-m-r/mimetype | 2 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/update-info-dir | 3 ++- apparmor.d/profiles-s-z/wsdd | 8 +++++++- apparmor.d/profiles-s-z/xournalpp | 2 +- 43 files changed, 121 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 0a9f9fcaf..a5769931c 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - deny /apparmor/.null rw, + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 4660755d6..6e80839fe 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # debconf apps + # Debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, + /etc/libpaper.d/texlive-base rPUx, + /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 7d2073768..8ae76e706 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, + /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 65ad4c0e5..3ea17a4e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,6 +25,11 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3756c1d03..3acfc14fd 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,6 +28,7 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +40,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index a7773a57f..7330d67c9 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} { /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c540b9db8..e73408a0a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0ca01d01d..cdfef1bad 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} { ptrace read, + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), + #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper @{exec_path} mr, @@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7aff8bdd2..aefdc339d 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -47,8 +47,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -81,8 +81,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 89acacd34..21c99827b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index fcafbda5f..a0fb366ab 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} { include include include + include + include network netlink raw, @@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 9a42bcdf1..c08d12a07 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -14,11 +14,12 @@ profile gdm-session @{exec_path} { include include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..4e83bfb76 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -10,6 +10,7 @@ include profile gnome-calculator @{exec_path} { include include + include include # Needed to get currency exchange rates diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fde43420a..111facf64 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 1f29958d1..7bcf80431 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,7 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index b011935ae..f4c61c5c6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 6ddbd4b4c..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e4ac12011..8bcb629a9 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index c399eadc7..5c8ab7c8a 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35f43a93e..83fcbd7c6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 3bfffdb6a..7f03d9fc5 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b089..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2e21750b9..7618dc3b6 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=UserAdded + member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 838dc940c..b0239f404 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -12,6 +12,7 @@ profile ptyxis @{exec_path} { include include include + include unix type=stream peer=(label=ptyxis-agent), diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 2307c709f..0965396ab 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 4937f6875..ef14d9ca9 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -112,6 +112,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 40cf0bca2..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sbin}/sshd.hmac r, + @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index db1854f1f..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b78b7c04..ca6eae3ad 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { /dev/cpu/@{int}/msr r, + deny capability net_admin, + deny capability perfmon, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 96b182e5f..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - /etc/blkid.conf r, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 640e48f3f..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 473848ef3..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod { + profile kmod flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 3d2cbd63d..d7480a212 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d951bfe03..d9ca9e164 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index b22730a27..7ce69ab64 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include + include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 2e0eb2cf7..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,7 +16,6 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 7783c8005..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -30,7 +31,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 1576050b5..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index d91285558..001f8605a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 9c686b19d..453e0093a 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,6 +14,7 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index fe06b32af..dc2a0d7aa 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/install-info Px, + @{bin}/cp ix, @{bin}/find ix, + @{bin}/install-info Px, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index fc6955793..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -28,7 +33,8 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 6442fe8b9..0d6c4d65f 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + /dev/snd/pcmC@{int}D@{int}[cp] w, include if exists } From 4f9d2703d4851a196b0e4af88d549f4b24bdc2b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:07:01 +0200 Subject: [PATCH 048/184] build: separate the base-strict abs from the re-attach builder. Enable the use of the base-strict abs on all setup. --- apparmor.d/abstractions/attached/base | 2 +- cmd/prebuild/main.go | 5 +++-- pkg/prebuild/builder/attach.go | 5 +---- pkg/prebuild/builder/base-strict.go | 32 +++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/base-strict.go diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 29c685f55..8741942ff 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,7 +8,7 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 62685202f..5eb1ab2f2 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -32,8 +32,9 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction ) // Matrix of ABI/Apparmor version to integrate with diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index d27908129..66ef18aef 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,10 +49,7 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) + } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 000000000..29a065629 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} From 7c6f7767575b2a0b6ed7870c6bd38483c42e1fb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:12:30 +0200 Subject: [PATCH 049/184] build: set default att to "" when not enabled. It fixes various issues with multiple / that are not collapsed in they canonical form in file rules See https://gitlab.com/apparmor/apparmor/-/issues/450#note_2158840105 --- apparmor.d/tunables/multiarch.d/system | 3 +-- pkg/prebuild/prepare/attach.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cf8575db0..b29be3f0c 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,7 +69,6 @@ # Default attachment path when re-attached path disconnected path is ignored. # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}=/ -alias / -> //, +@{att}="" # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index 3331c73dc..4523382d8 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -32,7 +32,6 @@ func (p ReAttach) Apply() ([]string, error) { if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") - out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) return res, path.WriteFile([]byte(out)) } From 09c1f61bb7aab8f9aff5e7c87cee66d9d9104b83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:54:28 +0200 Subject: [PATCH 050/184] build(debian): use deb-systemd-invoke and minor lintian fixes. --- debian/apparmor.d.postinst | 4 +--- debian/apparmor.d.postrm | 4 +--- debian/control | 6 +++--- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/control b/debian/control index 56ad928ba..85c4d3786 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,6 @@ Architecture: any Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine + most Linux based applications and processes. From 2b07398cef01bf511fafd8c66d631598baae1e8d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 3 Sep 2025 03:28:16 +0200 Subject: [PATCH 051/184] flatpak-app ntsync --- apparmor.d/groups/flatpak/flatpak-app | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e8fe195fb..e6be7ef4f 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -98,6 +98,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, + /dev/ntsync r, + include if exists include if exists } From 2c0b5405db7242b8d0b6704fc9998927bee30c9c Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 19:06:48 -0400 Subject: [PATCH 052/184] firewall-applet: update profile --- apparmor.d/groups/firewall/firewall-applet | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 280bd9d04..bd144b7e2 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -21,6 +21,9 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } From 237622f3efd6c7c8b11482086f2ca31fa47cc915 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 13:54:42 -0400 Subject: [PATCH 053/184] rpcbind: update profile rpcbind: update profile --- apparmor.d/groups/network/rpcbind | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 1d81292fd..0650470ac 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,18 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } From 4c84b572cda4433a664b1488e980034886652629 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Tue, 2 Sep 2025 05:12:04 +0200 Subject: [PATCH 054/184] glxgears can't access X cookie --- apparmor.d/profiles-g-l/glxgears | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 1e27790df..cfd9f0dac 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } From e43d9078089c4b46c8f48d08ebacacf83327b3f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 2 Sep 2025 00:06:57 +0200 Subject: [PATCH 055/184] chore: cosmetic. --- Justfile | 78 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/Justfile b/Justfile index e434586c4..2c4c0e8d4 100644 --- a/Justfile +++ b/Justfile @@ -49,44 +49,44 @@ c := "--connect=qemu:///system" # VM prefix prefix := "aa-" -[doc('Show this help message')] +# Show this help message help: @just --list --unsorted @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." +# Build the go programs [group('build')] -[doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +# Prebuild the profiles in enforced mode [group('build')] -[doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in complain mode [group('build')] -[doc('Prebuild the profiles in complain mode')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in FSP mode [group('build')] -[doc('Prebuild the profiles in FSP mode')] fsp: build @./{{build}}/prebuild --buildir {{build}} --full +# Prebuild the profiles in FSP mode (complain) [group('build')] -[doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build @./{{build}}/prebuild --buildir {{build}} --complain --full +# Prebuild the profiles in FSP mode (debug) [group('build')] -[doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --complain --full --debug +# Install prebuild profiles [group('install')] -[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -113,8 +113,8 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +# Locally install prebuild profiles [group('install')] -[doc('Locally install prebuild profiles')] local +names: #!/usr/bin/env bash set -eu -o pipefail @@ -135,39 +135,39 @@ local +names: done; systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Prebuild, install, and load a dev profile [group('install')] -[doc('Prebuild, install, and load a dev profile')] dev name: go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Build & install apparmor.d on Arch based systems [group('packages')] -[doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +# Build & install apparmor.d on Debian based systems [group('packages')] -[doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +# Build & install apparmor.d on OpenSUSE based systems [group('packages')] -[doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +# Run the unit tests [group('tests')] -[doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +# Run the linters [group('linter')] -[doc('Run the linters')] lint: golangci-lint run packer fmt tests/packer/ @@ -177,34 +177,34 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +# Run style checks on the profiles [group('linter')] -[doc('Run style checks on the profiles')] check: @bash tests/check.sh +# Generate the man pages [group('docs')] -[doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +# Build the documentation [group('docs')] -[doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +# Serve the documentation [group('docs')] -[doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve -[doc('Remove all build artifacts')] +# Remove all build artifacts clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +# Build the package in a clean OCI container [group('packages')] -[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -219,8 +219,8 @@ package dist: fi bash dists/docker.sh $dist $version +# Build the VM image [group('vm')] -[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -237,8 +237,8 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +# Create the machine [group('vm')] -[doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @virt-install {{c}} \ @@ -257,53 +257,53 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +# Start a machine [group('vm')] -[doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +# Stops the machine [group('vm')] -[doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +# Reboot the machine [group('vm')] -[doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +# Destroy the machine [group('vm')] -[doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +# Connect to the machine [group('vm')] -[doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` +# Mount the shared directory on the machine [group('vm')] -[doc('Mount the shared directory on the machine')] mount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' +# Unmout the shared directory on the machine [group('vm')] -[doc('Unmout the shared directory on the machine')] umount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' +# List the machines [group('vm')] -[doc('List the machines')] list: @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +# List the VM images [group('vm')] -[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -320,8 +320,8 @@ images: } ' +# List the VM images that can be created [group('vm')] -[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail @@ -337,36 +337,36 @@ available: } ' +# Install dependencies for the integration tests [group('tests')] -[doc('Install dependencies for the integration tests')] init: @bash tests/requirements.sh +# Run the integration tests [group('tests')] -[doc('Run the integration tests')] integration name="": bats --recursive --timing --print-output-on-failure tests/integration/{{name}} +# Install dependencies for the integration tests (machine) [group('tests')] -[doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init +# Synchronize the integration tests (machine) [group('tests')] -[doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ +# Re-synchronize the integration tests (machine) [group('tests')] -[doc('Re-synchronize the integration tests (machine)')] tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ (umount dist flavor) +# Run the integration tests (machine) [group('tests')] -[doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ From 7963479dbc944ea2fa18da16ad5a4224f73cc8fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:21:34 +0200 Subject: [PATCH 056/184] build: various cleanup --- dists/build.sh | 2 +- dists/docker.sh | 4 ++-- dists/flags/main.flags | 4 ++-- dists/flags/ubuntu.flags | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dists/build.sh b/dists/build.sh index 9b9f9e765..e33c48695 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -16,7 +16,7 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) diff --git a/dists/docker.sh b/dists/docker.sh index 2e581883c..45191adb8 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -25,7 +25,7 @@ readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" + docker start "$img" || return 1 } _is_running() { @@ -65,7 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Syu --noconfirm --noprogressbar + docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 057c7c298..2c01d9553 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -230,7 +230,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm complain +mdadm attach_disconnected,complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain @@ -327,7 +327,7 @@ systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recover attach_disconnected,complain +systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 7339702a2..125575ce1 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -8,6 +8,7 @@ apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +esm_cache complain fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain From d9df02f3f860f94d91d85862205adf872d75b9a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:22:39 +0200 Subject: [PATCH 057/184] tests(packer): update opensuse images. --- tests/cloud-init/opensuse-gnome.user-data.yml | 18 ++++++- tests/cloud-init/opensuse-kde.user-data.yml | 14 ++++- .../cloud-init/opensuse-server.user-data.yml | 7 +++ tests/cloud-init/opensuse.yml | 54 +++++++++++++++++++ 4 files changed, 91 insertions(+), 2 deletions(-) diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 3ab5a6c08..b59d66af3 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,6 +1,22 @@ #cloud-config -packages: *core-packages +packages: *gnome-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket write_files: - *shared-directory # Setup shared directory + + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="gdm" + diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 3ab5a6c08..2058846dd 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,6 +1,18 @@ #cloud-config -packages: *core-packages +packages: *kde-packages + +# apparmor.debug=1 +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg write_files: - *shared-directory # Setup shared directory + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml index 98b78ec80..b6d35cd68 100644 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -2,6 +2,13 @@ packages: *core-packages +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + write_files: - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 57c633678..ab0954c6a 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -2,9 +2,11 @@ # Core packages for OpenSUSE core-packages: &core-packages + - pattern:apparmor - apparmor-profiles - bash-completion - distribution-release + - docker - git - go - golang-packaging @@ -12,5 +14,57 @@ core-packages: &core-packages - just - rpmbuild - rsync + - systemd-container + - systemd-homed - vim +gnome-packages: &gnome-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # Gnome packages for OpenSUSE + - pattern:gnome + - gdm + - spice-vdagent + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # KDE packages for OpenSUSE + - pattern:kde_plasma + - pattern:kde + - sddm + - spice-vdagent + - terminator From 5795114328ad8952c826b8e82e475500d84eb94a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:23:49 +0200 Subject: [PATCH 058/184] tests(packer): success on cloud-init failure. --- tests/packer/builds.pkr.hcl | 4 ++-- tests/packer/clean.sh | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 48a5fafb6..98e923fd9 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -71,10 +71,10 @@ build { "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", # Ensure cloud-init is successful - # "cloud-init status", + "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", # Remove logs and artifacts so cloud-init can re-run - # "cloud-init clean", + "cloud-init clean || true", # Install local files and config "bash /tmp/init.sh", diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index f7518a2f6..23c587d4f 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -60,8 +60,7 @@ clean_pacman() { clean_zypper() { _msg "Cleaning zypper cache" - zypper update -y - zypper clean -y + zypper clean --all } # Make the image as impersonal as possible. From a0f1c55ab475a9c3f6d9ad26bf8d91b7d53036d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:12:40 +0200 Subject: [PATCH 059/184] doc: update roadmap. --- docs/development/roadmap.md | 49 ++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 2585208e5..379241a49 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,11 +6,18 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [x] **Play machine** +- [x] **[Play machine](https://github.com/roddhjav/play)** -- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - - [x] Move most profiles into groups such that - - [ ] New simplified build system to generate the packages with profile dependencies check +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups + - [ ] Provide complain/enforced packages version + - [ ] normal/FSP/server packages variants + +- [ ] **Build system** + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [x] Add a `just` target to install the profiles in the right place + - [x] Fully drop the Makefile in favor of `just` - [ ] **Tests** - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) @@ -22,14 +29,26 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [x] The apt/dpkg profiles needs to be reworked -- [ ] Build system - - [ ] Continuous release on the main branch, ~2 releases per week - - [ ] Provide packages repo for ubuntu/debian - - [ ] Provide complain/enforced packages version - - [x] Add a `just` target to install the profiles in the right place - - [x] Fully drop the Makefile in favor of `just` +- [ ] **Abstractions** + - [ ] Document all abstractions + - [ ] Split and reorganize some big abs into set of smaller abstractions. + Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) + - [ ] Abstraction based profiles: + Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). + - [ ] Test new interface like abstractions + - notifications + - audio-bluetooth + - secrets-service + - media-keys + - ... + - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. + - [ ] Rewrite the DE specific abstraction to be a layer 1 abs + +- [ ] **Security improvements** + - [ ] Limit the use of `abstractions/common/systemd` + - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) + - [ ] Revisit the usae of `systemd-tty-ask-password-agent` ## Next features @@ -45,8 +64,16 @@ This is the current list of features that must be implemented to get to a stable - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - [x] Remove the `default` profile +- [ ] **Define roles** + - [ ] Unrestricted shell role without FSP enabled + - [ ] Define the roles when FSP is enabled + ## Done +**General improvements** + +- [x] The apt/dpkg profiles has been rewritten + **Abstractions** - [x] New `audio-client` and `audio-server` abstractions From d86cf03dabfe1ba614341278ea42cb0a078df52e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:13:25 +0200 Subject: [PATCH 060/184] build(debian): post script must not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 361af7b91..840f3196b 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 361af7b91..840f3196b 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 From c7177eedde336a0bbef70e8fcc4413eaf07d88f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:16:25 +0200 Subject: [PATCH 061/184] doc: update documentation. --- docs/development/abstractions.md | 9 +++++++++ docs/issues.md | 30 +++++++++++++----------------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index f1ac6e18e..cd82f5d21 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -217,6 +217,14 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. +It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: + +!!! note "" + + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) + ``` sh linenums="24" + @{domain} = org.chromium.Chromium + ``` ### **`common/electron`** @@ -227,6 +235,7 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify + @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/docs/issues.md b/docs/issues.md index 1db3b195a..2f38f4c5a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,6 +6,19 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. +## Ubuntu + +### Dbus + +Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* + +Note: Ubuntu server has been more tested and will work without issues with enforced rules. + +### Snap + +Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. + + ## Complain mode A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: @@ -14,20 +27,3 @@ A profile in *complain* mode cannot break the program it confines. However, ther 2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, 3. If AppArmor does not find the profile to transition `rPx`. -## Pacman "could not get current working directory" - -```sh -$ sudo pacman -Syu -... -error: could not get current working directory -:: Processing package changes... -... -``` - -This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. - -According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. - -This provides a basic protection against some packages (on the AUR) that may have rogue install script. - -[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman From 470025c09025861a4fbee72a3f424ff7b0219044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 19:39:18 +0200 Subject: [PATCH 062/184] build(debian): update list of profile to hide. Nb: we cannot use these profiles as they would break with apparmor.d profiles (they don't expect confined peer). --- pkg/prebuild/files.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index 504f05c1c..d9879570b 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -11,9 +11,12 @@ import ( ) // Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "make", all edit will be lost. +var Hide = `# This file is generated by "just", all edit will be lost. /etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.bin.swtpm +/etc/apparmor.d/usr.bin.wsdd +/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd From 2aead7e93b0dce022401c5f42b8eeb23cb3e01a9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:01:20 +0200 Subject: [PATCH 063/184] build(arch): initial pkbuild for splited packages. Note: it is not enabled yet. --- PKGBUILD | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 102 insertions(+), 9 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index dfbb46735..a68ba817d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,8 +3,15 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgname=apparmor.d -pkgver=0.001 +pkgbase=apparmor.d +pkgname=( + apparmor.d + # apparmor.d.enforced + # apparmor.d.fsp apparmor.d.fsp.enforced + # apparmor.d.server apparmor.d.server.enforced + # apparmor.d.server.fsp apparmor.d.server.fsp.enforced +) +pkgver=0.0001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -12,10 +19,9 @@ url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') -conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" echo "0.$(git rev-list --count HEAD)" } @@ -24,17 +30,104 @@ prepare() { } build() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" + export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export DISTRIBUTION=arch - just complain + local -A modes=( + # Mapping of modes to just build target. + [default]=complain + # [enforced]=enforce + # [fsp]=fsp-complain + # [fsp.enforced]=fsp + # [server]=server-complain + # [server.enforced]=server + # [server.fsp]=server-fsp-complain + # [server.fsp.enforced]=server-fsp + ) + for mode in "${!modes[@]}"; do + just build=".build/$mode" "${modes[$mode]}" + done } -package() { - cd "$srcdir/$pkgname" - just destdir="$pkgdir" install +_conflicts() { + local mode="$1" + local pattern=".$mode" + if [[ "$mode" == "default" ]]; then + pattern="" + else + echo "$pkgbase" + fi + for pkg in "${pkgname[@]}"; do + if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then + continue + fi + echo "$pkg" + done +} + +_install() { + local mode="${1:?}" + cd "$srcdir/$pkgbase" + just build=".build/$mode" destdir="$pkgdir" install +} + +package_apparmor.d() { + mode=default + pkgdesc="$pkgdesc (complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.enforced() { + mode=enforced + pkgdesc="$pkgdesc (enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp() { + mode="fsp" + pkgdesc="$pkgdesc (FSP mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp.enforced() { + mode="fsp.enforced" + pkgdesc="$pkgdesc (FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server() { + mode="server" + pkgdesc="$pkgdesc (server complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.enforced() { + mode="server.enforced" + pkgdesc="$pkgdesc (server enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp() { + mode="server.fsp" + pkgdesc="$pkgdesc (server FSP complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp.enforced() { + mode="server.fsp.enforced" + pkgdesc="$pkgdesc (server FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } From ab7cba2da6e283f6f7e2eed1b746271b3bbda512 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:16:40 +0200 Subject: [PATCH 064/184] build: add early support for server version of the package. --- docs/development/build.md | 44 ++++++++++++++++++++++++++------------- pkg/prebuild/cli/cli.go | 27 +++++++++++++++++++++--- 2 files changed, 54 insertions(+), 17 deletions(-) diff --git a/docs/development/build.md b/docs/development/build.md index eaa2487a2..b767e4e4e 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -10,18 +10,22 @@ go run ./cmd/prebuild -h ``` ``` -aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] +aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. Prepare tasks: configure - Set distribution specificities @@ -31,21 +35,27 @@ Prepare tasks: overwrite - Overwrite dummy upstream profiles synchronise - Initialize a new clean apparmor.d build directory ignore - Ignore profiles and files from: + server - Configure AppArmor for server systemd-default - Configure systemd unit drop in files to a profile for some units systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + attach - Configure tunable for re-attached path Build tasks: - abi3 - Convert all profiles from abi 4.0 to abi 3.0 - attach - Re-attach disconnected path - complain - Set complain flag on all profiles - enforce - All profiles have been enforced - fsp - Prevent unconfined transitions in profile rules - hotfix - Temporary fix for #74, #80 & #235 - userspace - Resolve variable in profile attachments + userspace - Fix: resolve variable in profile attachments + abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 + attach - Feat: re-attach disconnected path + base-strict - Feat: use 'base-strict' as base abstraction + complain - Build: set complain flag on all profiles + debug - Build: debug mode enabled + enforce - Build: all profiles have been enforced + fsp - Feat: prevent unconfined transitions in profile rules + hotfix - Fix: temporary solution for #74, #80 & #235 + stacked-dbus - Fix: resolve peer label variable in dbus rules Directive: #aa:dbus own bus= name= [interface=AARE] [path=AARE] #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:dbus common bus= name= label= #aa:exec [P|U|p|u|PU|pu|] profiles... #aa:only filters... #aa:exclude filters... @@ -66,6 +76,12 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* +### **`server`** + +Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). + +*Enable with the `--server` option in the prebuild command.* + ### **`merge`** Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 8abfb4323..981331edd 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,6 +7,8 @@ package cli import ( "flag" "fmt" + "os" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -20,7 +22,7 @@ import ( const ( nilABI = 0 nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. @@ -32,7 +34,8 @@ Options: -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. -f, --full Set AppArmor for full system policy. - -b, --buildir DIR Root build directory. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. --debug Enable debug mode. ` @@ -43,6 +46,7 @@ var ( complain bool enforce bool full bool + server bool debug bool abi int version float64 @@ -55,6 +59,8 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&server, "s", false, "Set AppArmor for server.") + flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") @@ -81,7 +87,22 @@ func Configure() { flag.Parse() if help { flag.Usage() - return + os.Exit(0) + } + + if server { + idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) + if idx == -1 { + prepare.Register("server") + } else { + prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) + } + + // Remove hotfix task as it is not needed on server + idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) + if idx != -1 { + prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) + } } if full && paths.New("apparmor.d/groups/_full").Exist() { From ec88fcbfcb2a928bb543bdc0497946ff6fe840cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:18:31 +0200 Subject: [PATCH 065/184] feat(abs): add the camera abstraction --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/camera | 35 +++++++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/browsers/epiphany | 3 +- apparmor.d/groups/freedesktop/pipewire | 2 +- .../groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 3 +- apparmor.d/groups/freedesktop/wireplumber | 3 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 10 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/abstractions/camera diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index f08a096ca..725b57fca 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,6 +30,7 @@ include include include + include include include include @@ -44,7 +45,6 @@ include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera new file mode 100644 index 000000000..0f5cff363 --- /dev/null +++ b/apparmor.d/abstractions/camera @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to all cameras + + abi , + + # Allow detection of cameras. Leaks plugged in USB device info + @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/usb@{int}/**/busnum r, + @{sys}/devices/@{pci}/usb@{int}/**/devnum r, + @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, + @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + @{sys}/devices/@{pci}/usb@{int}/**/modalias r, + @{sys}/devices/@{pci}/usb@{int}/**/speed r, + + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/** r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, + + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + + # VideoCore cameras (shared device with VideoCore/EGL) + /dev/vchiq rw, + + # Access to video /dev devices + /dev/video@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5072cadfd..d0b36188b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -16,6 +16,7 @@ include include include + include include include include @@ -30,7 +31,6 @@ include include include - include dbus bus=accessibility, dbus bus=session, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 86b293e8d..45a32868e 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -61,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 02a370cdc..c8c89ac13 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,8 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include - include capability sys_ptrace, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index af6f30e9c..83ee32baa 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,9 +14,9 @@ profile pipewire-media-session @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 05e4c3ec2..28d8b9d31 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -18,6 +18,7 @@ profile pulseaudio @{exec_path} { include include include + include include include include @@ -105,7 +106,6 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -114,7 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/cmdline r, /dev/media@{int} r, - /dev/video@{int} rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aefdc339d..708e5a6e8 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -16,9 +16,9 @@ profile wireplumber @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, @@ -71,7 +71,6 @@ profile wireplumber @{exec_path} { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 001f8605a..4abe053f6 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -19,6 +19,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index ccf1abb61..3a3a77313 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -17,6 +17,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -85,7 +86,6 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer From c2ecc756b2e424926b7d0ac79b99b8f20c911de2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:30:52 +0200 Subject: [PATCH 066/184] feat(abs): add the media-control abstraction --- apparmor.d/abstractions/media-control | 20 +++++++++++++++++++ apparmor.d/groups/freedesktop/pipewire | 3 +-- apparmor.d/groups/freedesktop/pulseaudio | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-boxes | 5 ++--- apparmor.d/groups/gnome/gnome-control-center | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 5 ++--- apparmor.d/groups/gnome/localsearch | 3 --- .../groups/gnome/org.gnome.NautilusPreviewer | 5 ++--- apparmor.d/profiles-a-f/cheese | 5 ++--- apparmor.d/profiles-s-z/v4l2-ctl | 6 ++---- apparmor.d/profiles-s-z/virt-manager | 5 ++--- 12 files changed, 37 insertions(+), 30 deletions(-) create mode 100644 apparmor.d/abstractions/media-control diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control new file mode 100644 index 000000000..1cdcf66f2 --- /dev/null +++ b/apparmor.d/abstractions/media-control @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to media controller such as microphones, and video capture hardware. +# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst + + abi , + + # Control of media devices + /dev/media@{int} rwk, + + # Access to V4L subnodes configuration + # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html + /dev/v4l-subdev@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index c8c89ac13..04b08ecc4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -15,6 +15,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -66,8 +67,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 28d8b9d31..5c7c49c3d 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -26,6 +26,7 @@ profile pulseaudio @{exec_path} { include include include + include include ptrace (trace) peer=@{profile_name}, @@ -113,8 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, - /dev/media@{int} r, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 708e5a6e8..aa78d9667 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -18,6 +18,7 @@ profile wireplumber @{exec_path} { include include include + include include network bluetooth raw, @@ -65,7 +66,6 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -86,7 +86,6 @@ profile wireplumber @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, /dev/udmabuf rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 1447715b7..cd46dd069 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} { include include include + include include include include include + include include include include @@ -80,9 +82,6 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} rw, - /dev/video@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, profile virsh { diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 111facf64..10f310232 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -17,11 +17,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include include @@ -191,8 +193,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, - /dev/media@{int} r, - /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0876b90d1..7344b735b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -32,18 +32,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include include + include include include include include include - include capability sys_nice, capability sys_ptrace, @@ -321,7 +322,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -379,7 +379,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 049b3c402..d5700db7c 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -68,9 +68,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index f084e7b12..e1bde2238 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,14 +10,15 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include include - include network netlink raw, @@ -52,8 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b89fa42f2..33b933be2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -11,10 +11,12 @@ include profile cheese @{exec_path} { include include + include include include include include + include include include @@ -49,9 +51,6 @@ profile cheese @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl index e398049de..ddb86b9a2 100644 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -9,14 +9,12 @@ include @{exec_path} = @{bin}/v4l2-ctl profile v4l2-ctl @{exec_path} { include + include include - include + include @{exec_path} mr, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 8a1b5f355..f820d2953 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,12 +16,14 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include include + include include include include @@ -101,9 +103,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} r, - /dev/video@{int} rw, - # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From 5484f84764d2f1bc9c5ccf28494fdec5ada382aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:32:06 +0200 Subject: [PATCH 067/184] tests(build): add tests for the stacked-dbus build task. --- pkg/prebuild/builder/core_test.go | 24 ++++++++++++++++++++++++ pkg/prebuild/builder/stacked-dbus.go | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 06ceb1d28..c6c493472 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -231,6 +231,30 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, + { + name: "stacked-dbus-1", + b: Builders["stacked-dbus"], + profile: ` +profile foo { + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + +}`, + want: ` +profile foo { +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session), +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + +}`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index e33ecf4b7..eca8122c6 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -72,7 +72,7 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { toResolve = append(toResolve, k) } - rulesByParagraph, paragraphs, err := parse(kind, profile) // + rulesByParagraph, paragraphs, err := parse(kind, profile) if err != nil { return "", err } From 64d71ffb6e762b5ba51302087731bbeb8577631d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:45:08 +0200 Subject: [PATCH 068/184] build: attach: ensure we don't recursivelly call ourself. --- pkg/prebuild/builder/attach.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 66ef18aef..1ec5e06b1 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -31,6 +31,9 @@ func init() { func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name + if opt.File.HasSuffix("attached/base") { + return profile, nil // Do not re-attach twice + } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" @@ -42,13 +45,17 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { "include ", "include ", ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) profile = strings.ReplaceAll(profile, "include ", "include ", ) } else { - insert = "@{att} = /\n" + insert = "@{att} = \"\"\n" } From 8c33125b5ec251c6c8996ea23f24c5380c597a8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:46:12 +0200 Subject: [PATCH 069/184] build: add missing server build task. --- pkg/prebuild/prepare/server.go | 105 +++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 pkg/prebuild/prepare/server.go diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go new file mode 100644 index 000000000..85f98e75d --- /dev/null +++ b/pkg/prebuild/prepare/server.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + } + serverIgnoreGroups = []string{ + "akonadi", + "avahi", + "bluetooth", + "browsers", + "cosmic", + "cups", + "display-manager", + "flatpak", + "freedesktop", + "gnome", + "gvfs", + "hyprland", + "kde", + "lxqt", + "steam", + "xfce", + "zed", + } +) + +type Server struct { + prebuild.Base +} + +func init() { + RegisterTask(&Server{ + Base: prebuild.Base{ + Keyword: "server", + Msg: "Configure AppArmor for server", + }, + }) +} + +func (p Server) Apply() ([]string, error) { + res := []string{} + + // Ignore desktop related groups + groupNb := 0 + for _, group := range serverIgnoreGroups { + path := prebuild.RootApparmord.Join("groups", group) + if path.IsDir() { + if err := path.RemoveAll(); err != nil { + return res, err + } + groupNb++ + } else { + res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) + } + } + + // Ignore profiles using a desktop related abstraction + fileNb := 0 + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return res, err + } + for _, pattern := range serverIgnorePatterns { + if strings.Contains(profile, pattern) { + if err := file.RemoveAll(); err != nil { + return res, err + } + fileNb++ + break + } + } + } + + res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) + res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) + return res, nil +} From e2f11d46b0a81322bfef9394d440a30edfc67958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:48:59 +0200 Subject: [PATCH 070/184] tests(check): make the script configurable. Such that it can be used in downstream project with different folder structure. --- tests/check.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 60e23c694..861ca84fa 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -11,9 +11,11 @@ set -eu -o pipefail RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) +APPARMORD=${CHECK_APPARMORD:-apparmor.d} +SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled -readonly RES MAX_JOBS APPARMORD="apparmor.d" +readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -500,14 +502,14 @@ _check_udev() { check_sbin() { local file name jobs - mapfile -t sbin Date: Sat, 6 Sep 2025 23:51:12 +0200 Subject: [PATCH 071/184] tests(check): add support for global exclusion. --- tests/check.sh | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 861ca84fa..5b35f8816 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -15,6 +15,8 @@ APPARMORD=${CHECK_APPARMORD:-apparmor.d} SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled +declare _check_is_disabled_global +_FILE_IGNORE_ALL=false readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -44,6 +46,11 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then + if _in_array "$check" "${_check_is_disabled_global[@]}"; then + return 1 + fi + fi if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi @@ -70,10 +77,18 @@ _ignore_lint() { local checks line="$1" if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block - _IGNORE_LINT_BLOCK=true + # Start of an ignore block (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + # Treat as file-wide ignore + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + _IGNORE_LINT_BLOCK=false + return 0 + fi + _IGNORE_LINT_BLOCK=true + _check_is_disabled=("${_parsed[@]}") elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then # New paragraph, end of block @@ -81,22 +96,33 @@ _ignore_lint() { _check_is_disabled=() elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block + # Nothing to do, we are in a block/paragraph return 0 elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore + # Inline ignore (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + return 0 + fi + _check_is_disabled=("${_parsed[@]}") else - _check_is_disabled=() + # Do not clear if file-wide ignore is set + if ! $_FILE_IGNORE_ALL; then + _check_is_disabled=() + fi fi } _check() { local file="$1" - local line_number=0 + line_number=0 + _FILE_IGNORE_ALL=false + _check_is_disabled_global=() while IFS= read -r line; do line_number=$((line_number + 1)) From c239203e724df124cd0c0e4a35794e661a84b065 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:55:42 +0200 Subject: [PATCH 072/184] feat(abs): add the tpm abstraction. --- apparmor.d/abstractions/tpm | 16 ++++++++++++++++ apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-s-z/sbctl | 4 +--- 3 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/tpm diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm new file mode 100644 index 000000000..ef7b30a2b --- /dev/null +++ b/apparmor.d/abstractions/tpm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM +# resource manager /dev/tpmrm@{int} + + abi , + + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index d7a72c236..8447bff3e 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -20,6 +20,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -133,8 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index ef007a32c..a4fdbac88 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include + include capability dac_read_search, capability linux_immutable, @@ -34,9 +35,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - /dev/pts/@{int} rw, - /dev/tpmrm@{int} rw, - # File Inherit deny network inet stream, deny network inet6 stream, From 2efdd6f5274af00e48adc4da0ab77e03805191f4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:43:44 +0200 Subject: [PATCH 073/184] feat(profile): improve ufw-init fix #843 --- apparmor.d/groups/firewall/ufw-init | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index aae80b87d..fcb9d8b6c 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,8 +11,10 @@ profile ufw-init @{exec_path} { include include + capability dac_override, capability dac_read_search, capability net_admin, + capability net_raw, network inet dgram, network inet raw, @@ -27,12 +29,29 @@ profile ufw-init @{exec_path} { @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, + @{bin}/kmod rCx -> kmod, /etc/default/ufw r, /etc/ufw/* r, + @{run}/xtables.lock rwk, + @{PROC}/@{pid}/net/ip_tables_names r, - # @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/x_tables/initstate r, + + include if exists + } profile sysctl { include From 1defbbc416b3fcb74acc8a35707c3c6c1a68ae49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:47:24 +0200 Subject: [PATCH 074/184] fix(abs): tmp path for wine tmp data. fix #836 --- apparmor.d/abstractions/wine | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 28d15cf76..145cd763a 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,9 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{att}/@{tmp}/.wine-@{uid}/ rw, + owner @{att}/@{tmp}/.wine-@{uid}/** rwk, + owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, From 06d476ccaa5eca22a6c70f1d39c13f8d061b6590 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:48:54 +0200 Subject: [PATCH 075/184] fix(profile): att on logind fix #833 --- apparmor.d/groups/systemd/systemd-logind | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 271354633..05c812b18 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,7 +136,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, + @{att}/dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From 4771e56d88d2e30032cb2de3e71247eee3210ddd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:49:59 +0200 Subject: [PATCH 076/184] feat(profile): git: allow transition to github cli. fix #829 --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0538f5da0..01b491b98 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -65,6 +65,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, From 5fe9e0ee9e88984b01006fd797e1a386ade091bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:52:40 +0200 Subject: [PATCH 077/184] feat(profile): support for Tumbleweed gs path. see #828 --- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/kde/kioworker | 2 +- tests/check.sh | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index acae9b7a1..642d7ef5c 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -62,7 +62,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 71465df97..0fc81a764 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,7 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner diff --git a/tests/check.sh b/tests/check.sh index 5b35f8816..b54bc157a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -221,6 +221,7 @@ declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" + ["gs"]="gs{,.bin}" ["which"]="which{,.debianutils}" ) _check_equivalent() { From a87449268b227f1242445a9d66f52b62279dac94 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:05:19 +0200 Subject: [PATCH 078/184] feat(profile): various improvement for Tumbleweed fix #828 --- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/kde/dolphin | 9 +++++++-- apparmor.d/groups/kde/kwin_x11 | 1 + apparmor.d/groups/kde/okular | 5 ++++- apparmor.d/profiles-g-l/libreoffice | 9 ++++++--- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index a06a29da4..b448c542d 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -46,7 +46,7 @@ owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, + owner @{user_config_dirs}/session/*_* rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2d3b099d7..022c0beec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -25,7 +25,11 @@ profile dolphin @{exec_path} { network netlink raw, - signal (send) set=(term) peer=kioworker, + signal send set=hup peer=@{p_systemd}, + signal send set=term peer=kioworker, + + ptrace read peer=@{p_systemd}, + ptrace read peer=okular, @{exec_path} mr, @@ -109,10 +113,11 @@ profile dolphin @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f4f955a4f..ac80b3b18 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -41,6 +41,7 @@ profile kwin_x11 @{exec_path} { /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index acd9b7430..a2ffad26f 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,6 +23,8 @@ profile okular @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + signal send set=term peer=kioworker, @{exec_path} mr, @@ -69,7 +71,7 @@ profile okular @{exec_path} { owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -82,6 +84,7 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index dfb9361f3..de1c4a856 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -78,21 +78,24 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, + /etc/cups/ppd/*.ppd r, /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/paperspecs r, /etc/papersize r, + /etc/paperspecs r, /etc/xdg/* r, /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, + + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/soffice.*.lock rwk, owner @{user_config_dirs}/plasma_workspace.notifyrc r, - owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/soffice.binrc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, From e370a66c5be6193117a75e3e7c3f3b0d72564495 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:10:51 +0200 Subject: [PATCH 079/184] fix(profile): issues with stacking fix #819 --- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/gnome/gnome-calculator | 2 +- apparmor.d/groups/procps/pgrep | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index cb7edf822..840500c52 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} { +profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4e83bfb76..2f1cc0e89 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} { +profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 489f55bd7..d10c1e772 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} { +profile pgrep @{exec_path} flags=(attach_disconnected) { include include include From fda63da65e42a19f2216ecff92783cfa7675e3bd Mon Sep 17 00:00:00 2001 From: sbrantler Date: Wed, 3 Sep 2025 13:17:58 +0200 Subject: [PATCH 080/184] Add xfce-clipman --- apparmor.d/groups/xfce/xfce-clipman | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 apparmor.d/groups/xfce/xfce-clipman diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman new file mode 100644 index 000000000..270f7266f --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Sighy Brantler +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman +profile xfce-clipman @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_cache_dirs}/xfce4/clipman/ r, + owner @{user_cache_dirs}/xfce4/clipman/* rw, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 0f0082fd5b5fa2bb10244651f4ab81dacb6146c7 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:07 -0600 Subject: [PATCH 081/184] Add profile for kinit --- apparmor.d/profiles-g-l/kinit | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kinit diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit new file mode 100644 index 000000000..26cdcbd18 --- /dev/null +++ b/apparmor.d/profiles-g-l/kinit @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kinit +profile kinit @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From 4f4f5c464e7b0fb9b2392a0cbaec15b321c379a2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:57 -0600 Subject: [PATCH 082/184] Add profile for kdestroy --- apparmor.d/profiles-g-l/kdestroy | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdestroy diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy new file mode 100644 index 000000000..1e34b0193 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdestroy @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kdestroy +profile kdestroy @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to destroy other users' creds cache + capability dac_override, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From a4798a2f383f205584a8cf11f715d4b0b3ea6ceb Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:28:50 -0600 Subject: [PATCH 083/184] Add profile for klist --- apparmor.d/profiles-g-l/klist | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/profiles-g-l/klist diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist new file mode 100644 index 000000000..0dc0c89ba --- /dev/null +++ b/apparmor.d/profiles-g-l/klist @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/klist +profile klist @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to list other users' creds cache + capability dac_override, + capability dac_read_search, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab rk, + + #Credentials cache + /tmp/krb5cc_* rk, + /tmp/tkt* rk, + + include if exists +} + +# vim:syntax=apparmor From 7a610bb5fa9ad2ae370a71170c4142c0cdc8cdbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:37:53 -0600 Subject: [PATCH 084/184] Formatting Fix --- apparmor.d/profiles-g-l/kdestroy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 1e34b0193..0a4ed9ab5 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -10,11 +10,11 @@ include profile kdestroy @{exec_path} { include - @{exec_path} mr, - #Allow root to destroy other users' creds cache capability dac_override, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From 00f63f77e1881067c3ff447ac2b5dbbaa6fe2db1 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:39:34 -0600 Subject: [PATCH 085/184] Formatting Fix --- apparmor.d/profiles-g-l/klist | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 0dc0c89ba..9deeeedd8 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -10,12 +10,12 @@ include profile klist @{exec_path} { include - @{exec_path} mr, - #Allow root to list other users' creds cache capability dac_override, capability dac_read_search, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From c51f189ca0f6723475a0db2d860f58c28ccc8496 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:46:04 -0600 Subject: [PATCH 086/184] Use abstractions where possible --- apparmor.d/profiles-g-l/kdestroy | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 0a4ed9ab5..ccc0a2b25 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -9,16 +9,13 @@ include @{exec_path} = @{bin}/kdestroy profile kdestroy @{exec_path} { include + include #Allow root to destroy other users' creds cache capability dac_override, @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - #Credentials cache /tmp/krb5cc_* rwk, /tmp/tkt* rwk, From 415bd4aa445e587e1e7df523af998c49dcd14758 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:48:57 -0600 Subject: [PATCH 087/184] Use abstractions where possible --- apparmor.d/profiles-g-l/kinit | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 26cdcbd18..067886f89 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -10,6 +10,7 @@ include profile kinit @{exec_path} { include include + include network inet dgram, network inet6 dgram, @@ -19,13 +20,6 @@ profile kinit @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab r, From e86f77fa4bfd8a46fea4555f8829231737fcad51 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:50:41 -0600 Subject: [PATCH 088/184] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 7 ------- 1 file changed, 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 9deeeedd8..c9e30b775 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -16,13 +16,6 @@ profile klist @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab rk, From cbc4f19b8bdf264e56e138e36c16b4f3b7bdcc6c Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:10:11 -0600 Subject: [PATCH 089/184] Be more specific on client keytab path --- apparmor.d/profiles-g-l/kinit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 067886f89..706a11c10 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -21,7 +21,7 @@ profile kinit @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab r, + /var/lib/krb5/user/@{uid}/client.keytab r, #Credentials cache /tmp/krb5cc_* rwk, From 9cac4eeb901cfd4b5ce3633c26525ade4ff1afbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:11:43 -0600 Subject: [PATCH 090/184] Be more specific on client keytab path --- apparmor.d/profiles-g-l/klist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index c9e30b775..71411ccc9 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -17,7 +17,7 @@ profile klist @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab rk, + /var/lib/krb5/user/@{uid}/client.keytab rk, #Credentials cache /tmp/krb5cc_* rk, From b1c0cfdab5ec66b3806117ed0be4d00a701a69e2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:20:53 -0600 Subject: [PATCH 091/184] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 71411ccc9..f21f34295 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/klist profile klist @{exec_path} { include + include #Allow root to list other users' creds cache capability dac_override, From 5c3c1522571432c0d5398959962974d7410de9ba Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:35:36 -0600 Subject: [PATCH 092/184] Run kerberos utils in complain mode --- dists/flags/main.flags | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2c01d9553..cd9a0e5a6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -185,6 +185,7 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdestroy complain kdump_mem_estimator complain kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected @@ -193,9 +194,11 @@ kernel-install complain kernel-postinst-kdump complain keyboxd complain kglobalacceld complain +kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain +klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain From 0ffc8f9fa6bbfa0af350019a1420c23fdbded7fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:56:44 +0200 Subject: [PATCH 093/184] fix: self raised linter issue. --- apparmor.d/groups/cups/cups-backend-pdf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 6f658b064..21da6bf93 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,7 +25,7 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, From 6400bc725c78d569dc70804e0f9c92d4fb35d787 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:20:32 +0200 Subject: [PATCH 094/184] tests: update some unit tests to the last changes. --- pkg/prebuild/builder/core_test.go | 48 ++++++++++++++++++++++++++++- pkg/prebuild/directive/dbus.go | 17 +++++++--- pkg/prebuild/directive/dbus_test.go | 8 +++-- 3 files changed, 64 insertions(+), 9 deletions(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index c6c493472..6bcf74647 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -253,12 +253,58 @@ dbus send bus=session path=/org/freedesktop/DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), +}`, + }, + { + name: "base-strict-1", + b: Builders["base-strict"], + profile: ` +profile foo { + include +}`, + want: ` +profile foo { + include +}`, + }, + { + name: "attach-1", + b: Builders["attach"], + profile: ` +profile attach-1 flags=(attach_disconnected) { + include + include + include +}`, + want: ` +@{att} = /att/attach-1/ +profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { + include + include + include +}`, + }, + { + name: "attach-2", + b: Builders["attach"], + profile: ` +profile attach-2 flags=(complain) { + include + include + include +}`, + want: ` +@{att} = "" +profile attach-2 flags=(complain) { + include + include + include }`, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 891eb9e1d..4862597bb 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -135,7 +135,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { } res = append(res, - // DBus.Properties + // DBus.Properties: reply to properties request from anyone &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -143,7 +143,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, - // DBus.Introspectable + // DBus.Introspectable: allow clients to introspect the service &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -151,7 +151,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"@{busname}"`, }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", @@ -170,7 +170,14 @@ func (d Dbus) own(rules map[string]string) aa.Rules { func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - res := aa.Rules{} + res := aa.Rules{ + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + } // Interfaces for _, iface := range interfaces { @@ -198,7 +205,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 0844fd745..d6e90bb99 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,7 +8,7 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include +const dbusOwnSystemd1 = ` include dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} @@ -73,7 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include + want: ` include dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} @@ -120,7 +120,9 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} From c4ebf8903e30ec49a16c7d5aeea74b726aeab8f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:43:06 +0200 Subject: [PATCH 095/184] tests(builder): cleanup build settings between tests. --- cmd/prebuild/main_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go index d3c28f025..7bf2c0e1a 100644 --- a/cmd/prebuild/main_test.go +++ b/cmd/prebuild/main_test.go @@ -10,6 +10,8 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) func chdirGitRoot() { @@ -49,6 +51,8 @@ func Test_main(t *testing.T) { chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + prepare.Prepares = []prepare.Task{} + builder.Builds = []builder.Builder{} prebuild.Distribution = tt.dist main() }) From 237daecedb362bf405b19b5402b5221d78f1f533 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:03 +0200 Subject: [PATCH 096/184] tests: remove prebuild main test. - the same is tested in the build process - unit test is done in the prebuild pkg --- cmd/prebuild/main_test.go | 60 --------------------------------------- 1 file changed, 60 deletions(-) delete mode 100644 cmd/prebuild/main_test.go diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go deleted file mode 100644 index 7bf2c0e1a..000000000 --- a/cmd/prebuild/main_test.go +++ /dev/null @@ -1,60 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" -) - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out[0 : len(out)-1]) - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_main(t *testing.T) { - tests := []struct { - name string - dist string - }{ - { - name: "Build for Archlinux", - dist: "arch", - }, - { - name: "Build for Ubuntu", - dist: "ubuntu", - }, - { - name: "Build for Debian", - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - dist: "opensuse", - }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - prepare.Prepares = []prepare.Task{} - builder.Builds = []builder.Builder{} - prebuild.Distribution = tt.dist - main() - }) - } -} From 627700a152bbea3fdfd10c4c97009c92b4933bfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:31 +0200 Subject: [PATCH 097/184] build: set config for ubuntu 25.10 --- cmd/prebuild/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 5eb1ab2f2..455621e5b 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -49,6 +49,9 @@ func init() { case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 + case "questing": + prebuild.ABI = 4 + prebuild.Version = 5.0 } case "debian": From b45e1f36fee6fc038b8867f9ffc62a2ab866e433 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:59:00 +0200 Subject: [PATCH 098/184] build: add support for downstream project in some prepare tasks. --- pkg/prebuild/cli/cli.go | 5 ++++- pkg/prebuild/directories.go | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 981331edd..bf768c050 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,8 +139,11 @@ func Configure() { builder.Register("stacked-dbus") } else { + if !prebuild.DownStream { + prepare.Register("attach") + } builder.Register("attach") - prepare.Register("attach") + } default: diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 37cbc69bc..201d8c841 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream = false + // Either or not RBAC is enabled RBAC = false From f61f200427be4032873d39add37cf1f3f6796ca8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:52:11 +0200 Subject: [PATCH 099/184] build: ignore more abstraction for the server edition. --- pkg/prebuild/prepare/server.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go index 85f98e75d..fb9a1f602 100644 --- a/pkg/prebuild/prepare/server.go +++ b/pkg/prebuild/prepare/server.go @@ -14,6 +14,9 @@ import ( var ( serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", "include ", "include ", "include ", From ca1827ea1207242018ba604c7a789b6beb0992e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:53:02 +0200 Subject: [PATCH 100/184] fix: missing attach_disconnected in parrent profile while subprofile was using it. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 866da3d6a..e5293021c 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} { +profile su @{exec_path} flags=(attach_disconnected) { include include include From aec8e413b36e0a8845ace7483a2299a9b957dc66 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Thu, 4 Sep 2025 16:58:49 +0200 Subject: [PATCH 101/184] fix slurp --- apparmor.d/profiles-s-z/slurp | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c4250275e..c795ee08e 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -16,6 +16,7 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, + owner /dev/shm/@{uuid} r, include if exists } From d9ecbdbe4b87418e6ed2e4432240eaadc5bad8ad Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 8 Sep 2025 16:14:44 +0200 Subject: [PATCH 102/184] slurp review fixes --- apparmor.d/profiles-s-z/slurp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c795ee08e..740af9b7b 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include + include + include @{exec_path} mr, @@ -16,7 +18,6 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, - owner /dev/shm/@{uuid} r, include if exists } From b569d447031d6a8fe31cdfc1fd0a3540e71f1ded Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:09:38 +0200 Subject: [PATCH 103/184] feat(profile): update apt profiles. --- apparmor.d/abstractions/common/apt | 6 +++++- apparmor.d/groups/apt/apt | 4 +++- apparmor.d/groups/apt/apt-helper | 2 ++ apparmor.d/groups/apt/apt-methods-http | 2 ++ apparmor.d/groups/apt/deb-systemd-invoke | 2 ++ apparmor.d/groups/apt/dpkg | 3 +++ apparmor.d/groups/apt/dpkg-buildflags | 5 ++++- apparmor.d/groups/apt/dpkg-checkbuilddeps | 11 ++++++++--- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++++ apparmor.d/groups/apt/unattended-upgrade | 4 ++++ 11 files changed, 44 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index a267fd909..bec8d9a20 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -6,6 +6,7 @@ abi , /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, /usr/share/dpkg/varianttable r, @@ -19,6 +20,9 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*} r, + /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -26,7 +30,7 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9bdabb1c2..ade8bee61 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -147,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, + /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -190,6 +191,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/bunzip2 rix, @{bin}/chmod rix, + @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/debian r, + /etc/dpkg/origins/* r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 5a2d7dd55..f16e98d2f 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -25,6 +25,8 @@ profile apt-helper @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 61be160dc..77a418b07 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -74,6 +74,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index d2e9e9260..824d3b4dd 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -15,6 +15,8 @@ profile deb-systemd-invoke @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 2c1ac1ce5..986c6f188 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,6 +18,9 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, + capability sys_ptrace, + + ptrace read peer=apt, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 467d0d50e..1a4055f77 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -14,10 +14,13 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { @{exec_path} r, - /etc/dpkg/origins/debian r, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/abitable r, + + /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 6f54d3967..712a74e8c 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -11,16 +11,21 @@ include profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include include + include @{exec_path} r, - /etc/dpkg/origins/debian r, - - /var/lib/dpkg/status r, + @{bin}/dpkg rPx, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/dpkg/ostable r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 38a068ac0..73a4f6c46 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -2,6 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: merge with dpkg-scripts + abi , include @@ -16,8 +18,13 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/{,e}grep ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/mkdir ix, @{bin}/deb-systemd-helper Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/dpkg Px -> child-dpkg, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 8ae76e706..acde577de 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -114,6 +114,10 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + ptrace read peer=@{p_systemd}, + @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d501a325f..ebdc88d08 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -38,6 +38,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, + #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade + @{exec_path} mr, @{bin}/ r, @@ -70,6 +72,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, @@ -127,6 +130,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, From 394dc54ceb7ff80bbbde064992f1580eee64e0ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:13:12 +0200 Subject: [PATCH 104/184] feat(profile): update snap profiles. --- apparmor.d/groups/snap/snap | 33 ++++++++++++++++++++++++--- apparmor.d/groups/snap/snap-update-ns | 4 +++- apparmor.d/groups/snap/snapd | 14 ++++++++---- 3 files changed, 43 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 0d38fc055..9530b8594 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -17,13 +17,19 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include include + include capability chown, capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, + capability sys_ptrace, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, ptrace read peer=snap.*, @@ -36,7 +42,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -59,9 +65,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/unsquashfs rCx -> unsquashfs, @{bin}/xdg-settings rCx -> xdg-settings, - @{lib_dirs}/** mr, + @{bin_dirs}/xdelta3 ix, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -80,6 +88,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{HOME}/.snap/{,**} rw, @{HOME}/snap/{,**} rw, + @{user_pkg_dirs}/** r, + + owner @{tmp}/read-file@{int}/unpack/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, @@ -176,14 +187,30 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include - network unix stream, + capability net_admin, + network unix stream, + network (send receive) netlink raw, + + @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, include if exists } + profile unsquashfs { + include + + @{bin}/unsquashfs mr, + + /**.snap r, + + owner /tmp/read-file@{int}/unpack/{,**} w, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index e831cc90c..5d08a4240 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -34,7 +34,9 @@ profile snap-update-ns @{exec_path} { @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - /usr/share/xml/iso-codes/ w, + + /usr/share/xml/ r, + /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 4a928e6d4..87e535b3f 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -97,10 +97,11 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, + /usr/share/dbus-1/{system,session}.d/ rw, + /usr/share/dbus-1/{system,session}.d/snapd* rw, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**} r, - /usr/share/polkit-1/actions/snap.*.policy r, + /usr/share/polkit-1/actions/snap.*.policy* rw, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -190,6 +191,8 @@ profile snapd @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, @@ -229,9 +232,12 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, - @{bin}/tar ix, - owner @{HOME}/snap/*/common/.cache/{,**} r, + @{sh_path} ix, + @{bin}/gzip ix, + @{bin}/tar ix, + + owner @{HOME}/snap/*/{,**} r, include if exists } From f69a7e7213d81ddd0c3c760400edfdc025be05e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:04:36 +0200 Subject: [PATCH 105/184] feat(profile): update gnome profiles. --- .../bus/org.gnome.keyring.internal.Prompter | 2 + .../gnome/evolution-addressbook-factory | 2 + .../groups/gnome/evolution-calendar-factory | 1 + apparmor.d/groups/gnome/gdm | 23 +++++----- apparmor.d/groups/gnome/gdm-generate-config | 3 +- apparmor.d/groups/gnome/gio-launch-desktop | 2 + apparmor.d/groups/gnome/gnome-calculator | 2 + apparmor.d/groups/gnome/gnome-calendar | 15 +++---- apparmor.d/groups/gnome/gnome-control-center | 9 +++- .../groups/gnome/gnome-disk-image-mounter | 7 +++ apparmor.d/groups/gnome/gnome-extension-ding | 4 +- .../groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 9 ++-- apparmor.d/groups/gnome/gnome-session | 10 +++++ apparmor.d/groups/gnome/gnome-shell | 44 ++++++++++--------- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-power | 10 ++++- .../groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/gsd-sharing | 5 +++ apparmor.d/groups/gnome/gsd-usb-protection | 5 +++ apparmor.d/groups/gnome/kgx | 1 + apparmor.d/groups/gnome/localsearch | 7 +++ apparmor.d/groups/gnome/mutter-x11-frames | 1 + apparmor.d/groups/gnome/nautilus | 9 ++++ apparmor.d/groups/gnome/papers | 9 ++++ apparmor.d/groups/gnome/ptyxis | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 11 ++++- apparmor.d/groups/gnome/tracker-extract | 5 +-- apparmor.d/groups/gnome/tracker-miner | 4 +- apparmor.d/tunables/multiarch.d/system-users | 2 +- 32 files changed, 153 insertions(+), 58 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter index 1c3e8f760..0816b046f 100644 --- a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -11,6 +11,8 @@ abi , + unix type=stream peer=(label=gnome-keyring-daemon), + dbus send bus=session path=/org/gnome/keyring/Prompter interface=org.gnome.keyring.internal.Prompter member={BeginPrompting,PerformPrompt,StopPrompting} diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index b56af123d..56fd3ce3f 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -27,7 +27,9 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 3d1d00f28..2ee416bd9 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,6 +12,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 4c84fe822..3f958cb7e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -17,6 +17,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, capability fsetid, capability kill, capability net_admin, @@ -54,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -66,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - owner @{GDM_HOME}/block-initial-setup rw, + @{GDM_HOME}/ rw, + @{GDM_HOME}/** rw, - @{run}/gdm{3,}/greeter/ rw, - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/gdm{3,}.pid rw, - owner @{run}/gdm{3,}/ rw, - owner @{run}/gdm{3,}/custom.conf r, - owner @{run}/gdm{3,}/dbus/ w, - owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - owner @{run}/gdm{3,}/gdm.pid rw, + @{run}/gdm{,3}/ rw, + owner @{run}/gdm{,3}.pid rw, + owner @{run}/gdm{,3}/dbus/ rw, + owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, + + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 6e67866f5..c5e6d4cd5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -44,8 +44,9 @@ profile gdm-generate-config @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index a3d285e94..eb76f1207 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, + @{lib}/*/** rPx, + @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2f1cc0e89..4ab9b165f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -20,6 +20,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Calculator + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7d6d5246d..872fc6858 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -24,20 +24,19 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 10f310232..8ef24e9ce 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -41,10 +41,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -53,6 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" @@ -63,6 +65,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 379a887b3..519a248d8 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,17 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include + include + include + include + include include include include + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e47cc66a3..be7edcd79 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -58,8 +58,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 22c02a97f..7af7b8b2f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -75,6 +75,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 6752f54d4..595b3fd48 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,12 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { capability ipc_lock, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=ssh-agent, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=ssh-agent, + + unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 7bcf80431..257e91c0a 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -16,6 +16,14 @@ profile gnome-session @{exec_path} { include include + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{shells_path} rix, @@ -64,6 +72,8 @@ profile gnome-session @{exec_path} { owner @{HOME}/ r, + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7344b735b..8278ac648 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -24,13 +24,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include include + include include include include @@ -72,6 +72,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager @@ -79,6 +80,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting # Talk with gnome-shell @@ -87,32 +89,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # System bus - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgent - peer=(name=:*, label="@{p_polkitd}"), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=:*, label="@{p_polkitd}"), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - member={RegisterWithCapabilities,Unregister} - peer=(name=:*, label=NetworkManager), # Session bus @@ -156,7 +145,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -181,8 +170,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rCx -> shell, @{bin}/pkexec rCx -> pkexec, - @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{python_path} rCx -> python, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, @@ -278,15 +268,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, + owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, @@ -337,7 +328,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -351,6 +344,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -431,6 +426,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile python { + include + include + + # /usr/share/gnome-shell/extensions/{,**} + + include if exists + } + profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index baaac245f..247436318 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -45,6 +45,7 @@ profile gnome-software @{exec_path} { @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 5c8ab7c8a..8aa950e2c 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,6 +10,7 @@ include profile gnome-text-editor @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 83fcbd7c6..35714fa0b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,9 +11,9 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 63ab49c5e..0f77b023e 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -40,16 +40,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label="@{p_upowerd}"), + peer=(name=@{busname}, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Suspend + peer=(name=@{busname}, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 59123f485..c5be27f27 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStopped} + member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7b47b0676..b6d90d5e3 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -31,6 +31,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 + interface=org.freedesktop.NetworkManager.VPN.Connection + member=VpnStateChanged + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 7f03d9fc5..59e67d9bf 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -16,6 +16,11 @@ profile gsd-usb-protection @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index a32a3d8c3..f843d6c14 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -39,6 +39,7 @@ profile kgx @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index d5700db7c..c041cdf99 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,6 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + # Allow to search user files owner @{HOME}/ r, owner @{HOME}/{,**} r, @@ -57,6 +59,11 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/*/ r, + owner @{gdm_cache_dirs}/tracker3/{,**} rwk, + owner @{gdm_config_dirs}/user-dirs.dirs r, + @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ae225aa65..92e619e5c 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,6 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d8e7c3341..a91a154a7 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -66,6 +66,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session + interface=org.freedesktop.Application + member=Open, + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(name=org.gnome.Nautilus, label=nautilus), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 0318c7265..6c4fe6f12 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -20,18 +20,27 @@ profile papers @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mr, @{open_path} Cx -> open, /usr/share/poppler/{,**} r, + /etc/passwd r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + /tmp/ r, + /var/tmp/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index b0239f404..ac47b5460 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -16,7 +16,7 @@ profile ptyxis @{exec_path} { unix type=stream peer=(label=ptyxis-agent), - #aa:dbus own bus=session name=org.gnome.Ptyxis + #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 982afd90d..2735e0c5d 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -16,10 +16,12 @@ profile ptyxis-agent @{exec_path} { include include - signal send set=hup peer=unconfined, + signal send set=hup peer=@{p_systemd}, ptrace read, + unix type=stream peer=(label=ptyxis), + @{exec_path} mr, @{bin}/podman Px, @@ -42,8 +44,15 @@ profile ptyxis-agent @{exec_path} { unix bind type=stream addr=@@{udbus}/bus/systemd-run/, @{bin}/systemd-run mr, + + # The shell is not confined on purpose. @{bin}/@{shells} Ux, + # Some CLI program can be launched directly from Gnome Shell + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + owner @{run}/user/@{uid}/systemd/private rw, include if exists diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e8612f7b6..3f9f49281 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -20,6 +21,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -73,9 +75,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6b358c8b0..7f7a3a8e4 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -15,11 +15,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include @@ -86,8 +88,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 1513aae2f..07450efff 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,7 +5,7 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ From 009fb9285d497eae14b08032b43f44e81c862823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:05:34 +0200 Subject: [PATCH 106/184] feat(profile): update gvfsd profiles. --- apparmor.d/groups/gvfs/gvfsd-fuse | 12 ++++++++++-- apparmor.d/groups/gvfs/gvfsd-sftp | 20 +++++++++----------- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 ++ 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 2695a1bf7..4741b0f31 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -23,17 +23,25 @@ profile gvfsd-fuse @{exec_path} { dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterFuse - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-sftp), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, + owner @{run}/user/@{uid}/gvfsd-fuse/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 76bb55e98..1019a1525 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -17,28 +17,26 @@ profile gvfsd-sftp @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=@{busname}, label=gnome-extension-gsconnect), - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=nautilus), + peer=(name=@{busname}), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0dee4e73b..7f4c20718 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -15,6 +15,7 @@ profile gvfsd-wsdd @{exec_path} { include include + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd @@ -47,6 +48,7 @@ profile gvfsd-wsdd @{exec_path} { @{bin}/env mr, @{bin}/wsdd rPx, + @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/wsdd rw, From fecb4dbca6645341359e367e80d70a5e222f13be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:06:35 +0200 Subject: [PATCH 107/184] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 13 +++++++++++++ apparmor.d/groups/flatpak/flatpak-portal | 1 + apparmor.d/groups/flatpak/flatpak-session-helper | 5 +++++ apparmor.d/groups/flatpak/flatpak-system-helper | 1 + 4 files changed, 20 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index e73408a0a..bd749db40 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,6 +40,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak//fusermount), + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -47,6 +50,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=GetRevokefsFd + peer=(name=org.freedesktop.Flatpak.SystemHelper), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index fdbdb9189..97f9f4911 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 162e3b448..8a8f5afb7 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -21,6 +21,11 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index cdfef1bad..0bd74bdcb 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -34,6 +34,7 @@ profile flatpak-system-helper @{exec_path} { unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, From d0657d2c26644a386bc0078ec6f83ffebaa1a03e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:10:19 +0200 Subject: [PATCH 108/184] feat(profile): update network profiles. --- apparmor.d/groups/network/NetworkManager | 30 ++++++++++++++++++++++ apparmor.d/groups/network/netplan | 9 +++++++ apparmor.d/groups/network/netplan-generate | 2 ++ apparmor.d/groups/network/nmcli | 14 ++++++++++ apparmor.d/groups/network/openvpn | 2 ++ 5 files changed, 57 insertions(+) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f27449e77..2959441c4 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -48,6 +48,23 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=gnome-control-center), + + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 @@ -63,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), + @{exec_path} mr, @{sh_path} rix, @@ -84,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, + @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + @{att}/ r, /etc/ r, @@ -110,7 +137,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @@ -135,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 5855131a8..a0fad0a93 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -9,9 +9,12 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, @{lib}/netplan/generate rPx, @@ -20,6 +23,8 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, + @{run}/netplan/ r, profile udevadm { @@ -42,6 +47,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 74ed20aaf..cea17b81c 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -26,6 +26,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 6065a12da..b4da14960 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,11 +16,25 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, + /etc/netplan/* r, + owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index b5a6b83ef..2a513b84e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -66,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include From ff8efaecd209909a48bc7cd6677763fb4cd7e19b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:11:25 +0200 Subject: [PATCH 109/184] feat(profile): update arch profiles. --- apparmor.d/groups/pacman/pacdiff | 33 +++++++++++++------- apparmor.d/groups/pacman/pacman-hook-systemd | 2 ++ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index cab9eed4b..eef992666 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include - include capability dac_read_search, capability mknod, @@ -20,17 +19,18 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cat rix, - @{bin}/cmp rix, - @{bin}/find rix, - @{bin}/locate rix, - @{bin}/pacman rix, - @{bin}/pacman-conf rPx, - @{bin}/pacsort rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tput rix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/find ix, + @{bin}/locate ix, + @{bin}/pacman ix, + @{bin}/pacman-conf Px, + @{bin}/pacsort ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tput ix, + @{editor_path} Cx -> editor, # packages files / r, @@ -44,6 +44,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + profile editor { + include + include + + /etc/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 0878385c5..860fb34ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,6 +46,8 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, From 98063fa7711c03f624a149227b2ef3672b866469 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:15:42 +0200 Subject: [PATCH 110/184] feat(profile): rewrite the pacman profile. --- apparmor.d/groups/pacman/pacman | 165 +++++++++++++++++++------------- 1 file changed, 100 insertions(+), 65 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 427ac0141..41b45c9d0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -46,71 +46,49 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + # Pacman's keyring + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, - # Pacman hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/archlinux-java rPx, - @{bin}/bootctl rPx, - @{bin}/cert-sync rPx, - @{bin}/checkrebuild rPUx, - @{bin}/dconf rPx, - @{bin}/dot rix, - @{bin}/fc-cache{,-32} rPx, - @{bin}/filecap rix, - @{bin}/gdbus rix, - @{bin}/gdk-pixbuf-query-loaders rPx, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rPx, - @{bin}/gio-querymodules rPx, - @{bin}/glib-compile-schemas rPx, - @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-* rPx, - @{bin}/gtk{,4}-update-icon-cache rPx, - @{sbin}/iconvconfig rix, - @{bin}/install-catalog rPx, - @{bin}/install-info rPx, - @{sbin}/iscsi-iname rix, - @{bin}/journalctl rPx, - @{bin}/killall rix, - @{sbin}/ldconfig rix, - @{sbin}/locale-gen rPx, - @{bin}/limine-install rPUx, - @{bin}/mkinitcpio rPx, - @{sbin}/needrestart rPx, - @{bin}/pacdiff rPx, - @{bin}/pacman-key rPx, - @{bin}/pkgfile rPUx, - @{bin}/pkill rix, - @{bin}/rsync rix, - @{bin}/sbctl rPx, - @{sbin}/setcap rix, - @{bin}/setfacl rix, - @{sbin}/sysctl rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-* rPx, - @{bin}/tput rix, - @{bin}/update-ca-trust rPx, - @{bin}/update-desktop-database rPx, - @{sbin}/update-grub rPx, - @{bin}/update-mime-database rPx, - @{bin}/vercmp rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xmlcatalog rix, - @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, - @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.py rPx, - /usr/share/code-marketplace/patch.py rPx, - /usr/share/libalpm/scripts/* rPUx, - /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # Common program found in hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/dot ix, + @{bin}/filecap ix, + @{bin}/getent ix, + @{bin}/gettext ix, + @{bin}/gzip ix, + @{bin}/rsync ix, + @{bin}/setfacl ix, + @{bin}/tput ix, + @{bin}/vercmp ix, + @{bin}/which{,.debianutils} ix, + @{bin}/xmlcatalog ix, + @{sbin}/iconvconfig ix, + @{sbin}/iscsi-iname ix, + @{sbin}/setcap ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/killall Cx -> pkill, + @{bin}/kmod Cx -> kmod, + @{bin}/pkill Cx -> pkill, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/ldconfig Cx -> ldconfig, + + #aa:lint ignore=too-wide + # Hooks & install scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + /opt/*/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, + @{lib}/systemd/systemd-* Px, + @{lib}/vlc/vlc-cache-gen Px, # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, @@ -196,6 +174,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, @@ -207,11 +187,66 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, include if exists } + profile bus { + include + include + include + + @{bin}/gdbus rix, + + include if exists + } + + profile pkill { + include + include + + @{bin}/killall mr, + @{bin}/pkill mr, + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /opt/cuda/**/@{lib}/ r, + /opt/cuda/**/@{lib}/@{multiarch}/ r, + + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + include if exists include if exists } From e549863d4adf82147f9c17763cfe367d5ebf746c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:20:27 +0200 Subject: [PATCH 111/184] feat(profile): update systemd profiles. --- .../systemd-generator-system-update | 3 ++- apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/systemd-detect-virt | 1 + apparmor.d/groups/systemd/systemd-dissect | 2 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 ++ apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-localed | 14 +++++++++++++- apparmor.d/groups/systemd/systemd-logind | 13 +++++++------ apparmor.d/groups/systemd/systemd-machine-id-setup | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 1 + apparmor.d/groups/systemd/systemd-sleep-hdparm | 2 ++ apparmor.d/groups/systemd/systemd-sleep-sysstat | 3 +++ apparmor.d/groups/systemd/systemd-sleep-upgrades | 1 + apparmor.d/groups/systemd/systemd-timedated | 8 ++++++++ 15 files changed, 45 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 557e4ab6e..9767a2e72 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/status r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index d1ee1141c..06969ef47 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -68,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 0d46dbfed..9792fb75f 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} { +profile localectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index ca6eae3ad..9b49c20fc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -45,6 +45,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { deny capability net_admin, deny capability perfmon, + deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 0381b93b1..1bbb91858 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=unconfined, + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 01d04989b..8fae34b29 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -44,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_serial r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 2765d8f10..e0a8a2e47 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index e98bef009..cefab3890 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,18 +24,30 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/cat ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/rm ix, + @{bin}/sort ix, + @{sbin}/locale-gen rPx, + + /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, + /etc/ r, /etc/.#locale.conf@{hex16} rw, + /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf rw, + /etc/locale.gen rw, + /etc/nsswitch.conf r, + /etc/passwd r, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ rw, /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 05c812b18..c5e87b3e2 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -124,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index c791e6375..a2115a926 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace (read), + ptrace read, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index bf983ea7a..34e7255ab 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 4cbe61755..5b9c51dbe 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,6 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, + @{lib}/pm-utils/power.d/*hdparm-apm ix, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index 94e2e8daf..e29a41a7a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, + @{lib}/sysstat/sa{1,2} Px, + @{lib}/sysstat/debian-sa{1,2} Px, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 4f2cce637..c2c107b1f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index ffed031b5..b65f2b7af 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobRemoved,Reload,StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, From 43175387474acabd2e877e78f709c13e9643e999 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:21:34 +0200 Subject: [PATCH 112/184] feat(profile): update ubuntu profiles. --- apparmor.d/groups/ubuntu/software-properties-dbus | 9 +++++++-- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 ++- apparmor.d/groups/ubuntu/update-notifier | 13 +++++++++++++ 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 8d55ec0b7..cc7387709 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -19,11 +19,16 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=software-properties-gtk), + peer=(name=@{busname}, label=software-properties-gtk), + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload + peer=(name=@{busname}, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index af91c7eaa..cd858737b 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -44,12 +44,10 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, - /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index e8d847e92..ea9742d4c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -60,9 +60,10 @@ profile ubuntu-advantage @{exec_path} { @{run}/ubuntu-advantage/{,**} rw, - @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 0de63ac64..4c60b4aaf 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -28,6 +28,11 @@ profile update-notifier @{exec_path} { #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell + dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending + interface=com.ubuntu.UnattendedUpgrade.Pending + member=Finished + peer=(name=@{busname}, label=unattended-upgrade), + @{exec_path} mr, @{sh_path} rix, @@ -49,6 +54,7 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + @{open_path} Cx -> open, @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, @@ -95,6 +101,13 @@ profile update-notifier @{exec_path} { include if exists } + profile open { + include + include + + include if exists + } + include if exists } From c7b99bb84e9098e57a368c1a237838f11095116d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:26:31 +0200 Subject: [PATCH 113/184] feat(profile): update some core profiles. --- apparmor.d/profiles-g-l/kdump-config | 2 + apparmor.d/profiles-g-l/kdump-tools-init | 2 + apparmor.d/profiles-g-l/kdump_mem_estimator | 2 + apparmor.d/profiles-g-l/kernel-postinst-kdump | 8 +++- apparmor.d/profiles-g-l/logrotate | 2 + apparmor.d/profiles-m-r/initramfs-hooks | 6 ++- apparmor.d/profiles-m-r/mdadm | 1 + apparmor.d/profiles-m-r/mkinitramfs | 48 ++++++------------- apparmor.d/profiles-m-r/needrestart | 2 + apparmor.d/profiles-m-r/rsyslogd | 1 + 10 files changed, 37 insertions(+), 37 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2bd8ef6b9..75c536612 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -72,6 +72,8 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init index b5af4dcc9..7767831a8 100644 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -29,6 +29,8 @@ profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator index b80a89343..5f85af3fe 100644 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -27,6 +27,8 @@ profile kdump_mem_estimator @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 50606695a..eb17c5355 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -31,8 +31,7 @@ profile kernel-postinst-kdump @{exec_path} { / r, - /etc/initramfs-tools/conf.d/{,**} r, - /etc/initramfs-tools/initramfs.conf r, + /etc/initramfs-tools/{,**} r, owner /var/lib/kdump/** rw, @@ -49,6 +48,11 @@ profile kernel-postinst-kdump @{exec_path} { include include + @{sys}/module/*/ r, + @{sys}/module/*/coresize r, + @{sys}/module/*/holders/ r, + @{sys}/module/*/refcnt r, + include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 0dee9ed6a..781a01a27 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -80,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=KillUnit diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 136536764..89a57310f 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -10,6 +10,7 @@ include profile initramfs-hooks @{exec_path} { include include + include include @{exec_path} mr, @@ -37,9 +38,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/ r, @{lib}/** mr, + /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, - /usr/share/cryptsetup/initramfs/{,**} r, /etc/console-setup/{,**} r, /etc/cryptsetup-initramfs/{,**} r, @@ -81,8 +82,9 @@ profile initramfs-hooks @{exec_path} { include include - @{bin}/ldd mr, @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/ld-linux.so* mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 4cc5fc9fb..e40f6b1e3 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -12,6 +12,7 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, mqueue (read getattr) type=posix /, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c6caf364f..d94e5aa44 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -33,6 +33,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, + @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -56,10 +57,9 @@ profile mkinitramfs @{exec_path} { @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, - @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, + @{sbin}/blkid rPx, - @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @@ -113,11 +113,16 @@ profile mkinitramfs @{exec_path} { @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, - @{sys}/devices/platform/ r, - @{sys}/devices/platform/**/ r, - @{sys}/devices/platform/**/modalias r, + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + @{sys}/devices/**/uevent r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{sys}/class/ r, + @{sys}/class/*/ r, + + @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @@ -129,17 +134,14 @@ profile mkinitramfs @{exec_path} { include include - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mr, - @{lib}/ld-linux.so* mr, - - @{sh_path} rix, - @{bin}/kmod mr, - @{lib}/initramfs-tools/bin/* mr, - + @{sh_path} rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + include if exists } @@ -160,26 +162,6 @@ profile mkinitramfs @{exec_path} { include if exists } - profile find { - include - include - - @{bin}/find mr, - - # pwd dir - / r, - /etc/ r, - /root/ r, - - /usr/share/initramfs-tools/scripts/{,**/} r, - /etc/initramfs-tools/scripts/{,**/} r, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, - owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, - - include if exists - } - profile kmod { include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 8c908ddb4..c55393753 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index ede981f58..c5e5ac051 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -45,6 +45,7 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } From 1b97efa21595f170d2a9466b91f2ee8a611f5d0e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:27:15 +0200 Subject: [PATCH 114/184] feat(abs): add org.gtk.Menus. --- .../abstractions/bus/session/org.gtk.Menus | 18 ++++++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 1 + 2 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Menus diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus new file mode 100644 index 000000000..b21c08067 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Menus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.gtk.Menus + member={Start,End} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Menus + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 356e97705..0b69d8ee1 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only include + include include @{lib}/{,@{multiarch}/}gtk*/** mr, From 17eac0b62c0ee7dccb0c0c3642b41ce2df238aa7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:02 +0200 Subject: [PATCH 115/184] feat(abs): add missing dbus rule on org.freedesktop.DBus --- apparmor.d/groups/bus/dbus-session | 6 +++--- apparmor.d/groups/bus/dbus-system | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index cc6b33f61..27e228e2c 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,10 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session path=/org/freedesktop/DBus + dbus receive bus=session interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 4dec1d407..235c44cd4 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,8 +36,8 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator @@ -82,6 +82,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pid}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +92,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, + @{att}/dev/pts/ptmx rw, include if exists } From d32fd036503bd197d649ba85657eaf079854b2c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:30 +0200 Subject: [PATCH 116/184] feat(profile): improve ibus-portal. --- apparmor.d/groups/bus/ibus-portal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 53edb4b00..6ea4891a7 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,11 +15,12 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus + #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, From c7e999fe30e5cb43e61cdca01eea3e18fa5fb0c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:32:29 +0200 Subject: [PATCH 117/184] feat(profile): update freedesktop profiles. --- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 ++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gnome | 10 +++++----- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 12 +++--------- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/freedesktop/xorg | 3 ++- 8 files changed, 19 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 5c7c49c3d..ce1dffd58 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -21,9 +21,9 @@ profile pulseaudio @{exec_path} { include include include + include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa78d9667..84d6675de 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -27,6 +27,7 @@ profile wireplumber @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} + #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -77,6 +78,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index be66f7484..c1f255c75 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -21,6 +21,9 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { network unix stream, + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 21c99827b..ec2cc86be 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @@ -101,6 +102,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, + @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ca5f62f82..b6c77f336 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -16,6 +16,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -24,6 +25,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include network unix stream, @@ -36,17 +38,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll @@ -85,6 +83,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 92e6c9484..9688df798 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -35,18 +35,12 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 840500c52..fd05bcee9 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} r, + @{sh_path} mr, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c14af6d6e..bfec4405c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -133,8 +133,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, + /dev/ r, /dev/fb@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, From 4d7e03a9e2f743fc32661c1741ce50f0d99cddd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:34:44 +0200 Subject: [PATCH 118/184] feat(profile): add missing grep to locale-gen. --- apparmor.d/groups/utils/locale-gen | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index 3620018a7..5366f1403 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -18,6 +18,7 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, From e5012e381efa8eefb028f661606aa159e0cd46a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:39:13 +0200 Subject: [PATCH 119/184] chore: pids means all pid. --- apparmor.d/groups/_full/sd | 39 +++++++++++++++-------------- apparmor.d/groups/bus/dbus-system | 12 ++++----- apparmor.d/profiles-m-r/needrestart | 12 ++++----- 3 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 13864f2dd..ccdbf338b 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -195,25 +195,26 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{sys}/firmware/efi/efivars/** w, @{sys}/fs/cgroup/{,**} w, - @{PROC}/@{pid}/attr/apparmor/exec w, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map w, - @{PROC}/@{pid}/limits r, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/oom_score_adj rw, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pid}/setgroups w, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map r, - @{PROC}/@{pid}/uid_map w, + @{PROC}/@{pids}/attr/apparmor/exec w, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map w, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/loginuid rw, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/setgroups r, + @{PROC}/@{pids}/setgroups w, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/uid_map r, + @{PROC}/@{pids}/uid_map w, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/irq/@{int}/node r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 235c44cd4..1b62a1086 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -77,12 +77,12 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/oom_score_adj r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj r, + @{PROC}/@{pids}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c55393753..a09008ac3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -56,12 +56,12 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /tmp/@{word10}/ rw, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, From 69fcef01b7b5d9003f902512be3d7c2543da5ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:50:23 +0200 Subject: [PATCH 120/184] feat(profile): add a large profile for mkosi. --- apparmor.d/profiles-m-r/mkosi | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mkosi diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi new file mode 100644 index 000000000..f6489a501 --- /dev/null +++ b/apparmor.d/profiles-m-r/mkosi @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - It is required to have a profile for mkosi to allow userns. +# - Mkosi uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for mkosi paths too. + +abi , + +include + +@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi +profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + userns, + + include if exists +} + +# vim:syntax=apparmor From e09251d2669a0161aef2eb75e5d92c1c74a86f56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:53:00 +0200 Subject: [PATCH 121/184] feat(abs): update org.freedesktop.PolicyKit1 --- .../abstractions/bus/org.freedesktop.PolicyKit1 | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 9dfab7481..2a4e8c1e5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can talk to polkitd's CheckAuthorization API + abi , #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -13,17 +15,13 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), + member={CheckAuthorization,CancelCheckAuthorization} + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name="@{busname}", label="@{p_polkitd}"), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), + member=RegisterAuthenticationAgentWithOptions + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), include if exists From fce5de8d198df15219422e0b6867609a3f3ee85d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:55:29 +0200 Subject: [PATCH 122/184] feat(abs): update org.freedesktop.PackageKit --- .../abstractions/bus/org.freedesktop.PackageKit | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index f6cde2030..a4f9ba9b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,6 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow communication with PackageKit transactions. Transactions are exported +# with random object paths that currently take the form /@{int}_@{hex8}. + abi , #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd @@ -16,6 +19,14 @@ member=StateHasChanged peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + + dbus receive bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + include if exists # vim:syntax=apparmor From 93c94836e292a2e4b39cea261e6891e30b74d6a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:56:14 +0200 Subject: [PATCH 123/184] feat(abs): add snapcraft dbus reference call. --- .../bus/session/io.snapcraft.Launcher | 21 +++++++++++++++++++ .../io.snapcraft.PrivilegedDesktopLauncher | 16 ++++++++++++++ .../bus/session/io.snapcraft.Settings | 16 ++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Launcher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Settings diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher new file mode 100644 index 000000000..ca2bf92c8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal xdg-open + + abi , + + dbus send bus=session path=/ + interface=com.canonical.SafeLauncher + member=OpenURL + peer=(name=@{busname}, label=snap), + + dbus send bus=session path=/io/snapcraft/Launcher + interface=io.snapcraft.Launcher + member={OpenURL,OpenFile} + peer=(name=@{busname}, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher new file mode 100644 index 000000000..704d9010d --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can identify and launch other snaps. + + abi , + + dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher + interface=io.snapcraft.PrivilegedDesktopLauncher + member=OpenDesktopEntry + peer=(name=io.snapcraft.Launcher, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings new file mode 100644 index 000000000..c50753cd6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal 'xdg-settings' + + abi , + + dbus send bus=session path=/io/snapcraft/Settings + interface=io.snapcraft.Settings + member={Check,CheckSub,Get,GetSub,Set,SetSub} + peer=(name=io.snapcraft.Settings, label=snap), + + include if exists + +# vim:syntax=apparmor From 8f0ee240007ba41dee39f721bc22fff6163171ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:57:10 +0200 Subject: [PATCH 124/184] feat(abs): add org.gtk.vfs.MountOperation --- .../bus/session/org.gtk.vfs.MountOperation | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation new file mode 100644 index 000000000..ff8c928f8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}, label=gvfsd-*), + + include if exists + +# vim:syntax=apparmor From 76c5586688218983fe9203fd894e8cc794a895e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:58:11 +0200 Subject: [PATCH 125/184] feat(abs): add org.freedesktop.IBus.Portal --- .../bus/session/org.freedesktop.IBus.Portal | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal new file mode 100644 index 000000000..e7c0f9cef --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to the IBus portal + + abi , + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.IBus.Portal + member=CreateInputContext + peer=(name=org.freedesktop.portal.IBus), + + dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + include if exists + +# vim:syntax=apparmor From 865bac4cc6a2c7d79a37503b5d02985655a29532 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:59:07 +0200 Subject: [PATCH 126/184] feat(abs): update org.freedesktop.ColorManager. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index e23092429..13d186898 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=FindDeviceByProperty - peer=(name="@{busname}", label="@{p_colord}"), + member={FindDeviceByProperty,FindDeviceById} + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), include if exists From 0c90adb24d81bab5f241c853be367e62f8fea01f Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:04:37 -0600 Subject: [PATCH 127/184] Update mdadm There were lots of missing components of mdadm. I have a few scripts that create and tear down MD RAID arrays. I've ran them all and added the missing entries. Note that mdadm has the ability to run in daemon mode and send mail when an array fails. That's why it requires all the network entries. --- apparmor.d/profiles-m-r/mdadm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index e40f6b1e3..94a178ce7 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,12 +15,22 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + capability mknod, + capability net_admin, + + network netlink raw, mqueue (read getattr) type=posix /, @{exec_path} mr, + @{sh_path} rix, + @{bin}/sendmail rPUx, + + /etc/mdadm.conf r, + @{run}/initctl r, + @{run}/mdadm/* rwk, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, @@ -27,13 +38,17 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/virtual/block/md*/** rw, + @{sys}/module/md_mod/** rw, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/kcore r, @{PROC}/partitions r, + @{PROC}/mdstat rw, /dev/**/ r, + /dev/.tmp.md.* rw, include if exists } From c4bad04fed083d93c51c7040266f2a7bd179b550 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:15:32 -0600 Subject: [PATCH 128/184] mdadm Make the linter happy :) --- apparmor.d/profiles-m-r/mdadm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 94a178ce7..a3fba9479 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -24,8 +24,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{bin}/sendmail rPUx, + @{sh_path} rix, + @{sbin}/sendmail rPUx, /etc/mdadm.conf r, From 1540315d5caab3d5e6a87dd4c5ea4c31114d1058 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 07:38:44 -0600 Subject: [PATCH 129/184] mdadm: include all config file locations pulled from strings --- apparmor.d/profiles-m-r/mdadm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index a3fba9479..b0397eb8d 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -27,7 +27,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/sendmail rPUx, - /etc/mdadm.conf r, + /etc/{,mdadm/}mdadm.conf r, + /etc/{,mdadm/}mdadm.conf.d/* r, @{run}/initctl r, @{run}/mdadm/* rwk, From 1d2b271dfcf96c739a79d7909161da2396cfc943 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 10:26:41 -0600 Subject: [PATCH 130/184] ssh-keygen: allow execution of ssh-sk-helper The ssh-sk-helper profile was added last year but never hooked into the ssh-keygen profile. This is needed for generating SSH keys that live on a yubikey. --- apparmor.d/groups/ssh/ssh-keygen | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 1b6dd5e98..738268b0a 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,6 +15,8 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, From c67773947ec9951c18fd511093be9bea78aa79de Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 08:09:04 -0600 Subject: [PATCH 131/184] ssh: allow ssh to authenticate to remote hosts using kerberos tickets --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index bf71a8463..c2926a3a4 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -12,6 +12,7 @@ profile ssh @{exec_path} { include include include + include include network inet stream, From 53501d8bf4bcf462c643e0c4fd81f4fd82865b79 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 12:25:55 -0600 Subject: [PATCH 132/184] ssh: allow ssh to write to the kerberos CC when it picks up a ticket --- apparmor.d/groups/ssh/ssh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index c2926a3a4..0d6826490 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -44,6 +44,8 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, + owner @{tmp}/krb5cc_* rwk, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, From fda74f574f4c3ec693c20eaaf6a19a737ddee178 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:02:35 +0200 Subject: [PATCH 133/184] chore(abs): add some device description. --- apparmor.d/abstractions/dri | 3 +++ apparmor.d/abstractions/nvidia-strict | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index dd8f7b55a..128da00d0 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,8 +28,11 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, + + # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a7529eb9a..8fd78a702 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -36,8 +36,14 @@ owner @{PROC}/@{pid}/task/@{tid}/comm r, /dev/char/195:@{u8} w, # Nvidia graphics devices + + # Nvidia proprietary modset driver /dev/nvidia-modeset rw, + + # Nvidia graphics devices /dev/nvidia@{int} rw, + + # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, From 56948a54eb1461ad4dd8e78a42185bb8e5de4819 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:03:20 +0200 Subject: [PATCH 134/184] feat(abs): reorganise the audio abstractions. --- apparmor.d/abstractions/audio-client | 6 ++++++ apparmor.d/abstractions/audio-server | 5 ----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 826191309..1ebdf4c76 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -57,12 +57,18 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound card + + @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, /dev/snd/controlC@{int} r, + /dev/snd/pcmC@{int}D@{int}[cp] r, + /dev/snd/timer r, include if exists diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 10bcef426..a7f89b91b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,11 +9,6 @@ include - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{PROC}/asound/** rw, /dev/admmidi* rw, From 122b004c2e6be12d64f0eb0a3e3835cd0e8fef35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:29:29 +0200 Subject: [PATCH 135/184] feat(abs): aff the uinput abs. --- apparmor.d/abstractions/uinput | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 apparmor.d/abstractions/uinput diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput new file mode 100644 index 000000000..b97d1eb8a --- /dev/null +++ b/apparmor.d/abstractions/uinput @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow write access to the uinput device for emulating input devices from +# userspace for sending input events. + + abi , + + /dev/uinput rw, + /dev/input/uinput rw, + + include if exists + +# vim:syntax=apparmor From 7cf4719728569dc207122236ff5a187ff2375a8f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:35:07 +0200 Subject: [PATCH 136/184] feat(abs): add the secrets-service abs. --- .../bus/session/org.freedesktop.Secret | 49 +++++++++++++++++++ apparmor.d/abstractions/secrets-service | 33 +++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Secret create mode 100644 apparmor.d/abstractions/secrets-service diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret new file mode 100644 index 000000000..8ded1b6d7 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=ReadAlias + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=@{busname}, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service new file mode 100644 index 000000000..71b7c7d82 --- /dev/null +++ b/apparmor.d/abstractions/secrets-service @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + include + + dbus send bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetEnvironment + peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor From db347d13de5610ddcd0338f23e082a9b0e544f74 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:37:35 +0200 Subject: [PATCH 137/184] feat(abs): revisit and restrict the devices-usb abs. --- apparmor.d/abstractions/devices-usb | 13 +++++++++++-- apparmor.d/abstractions/devices-usb-read | 23 +++++++++++++---------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 85f8f6b92..3361f10ec 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,13 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow raw access to all connected USB devices + abi , include - /dev/bus/usb/@{int}/@{int} wk, + @{PROC}/tty/drivers r, - @{sys}/devices/**/usb@{int}/{,**} w, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, + + # Allow access to all ttyUSB devices too + /dev/ttyACM@{int} wk, + /dev/ttyUSB@{int} wk, + + # Allow raw access to USB printers (i.e. for receipt printers in POS systems). + /dev/usb/lp@{int} wk, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 836a5f3c7..ea3131d59 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -3,26 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# Allow detection of usb devices. Leaks plugged in USB device info - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} r, + abi , @{sys}/class/ r, @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, - - @{sys}/devices/**/usb@{int}/{,**} r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/**/usb@{int}/ r, + @{sys}/devices/**/usb@{int}/** r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/b180:@{int} r, # USB block devices + @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems + @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, include if exists From 26f905bcc2d7e454b66ff0329e4476ede43a97db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:38:34 +0200 Subject: [PATCH 138/184] feat(abs): X-strict: use tunables. --- apparmor.d/abstractions/X-strict | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 9330d2223..a92058206 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -5,10 +5,10 @@ abi , # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=@/tmp/.ICE-unix/@{int}, + unix type=stream addr=@/tmp/.X11-unix/X@{int}, /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions @@ -16,13 +16,13 @@ /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/* rw, + /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/* rw, + /tmp/.X11-unix/X@{int} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland From 170575fbff343a6c376bbebb9acac171ffbba3b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:40:54 +0200 Subject: [PATCH 139/184] feat(abs): ensure graphics devices are in nvidia-strict. --- apparmor.d/abstractions/graphics-full | 6 ------ apparmor.d/abstractions/nvidia-strict | 18 +++++++++++++----- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1e2c97224..de5f865b5 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,13 +8,7 @@ include include - @{sys}/devices/@{pci}/numa_node r, - - @{PROC}/devices r, - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 8fd78a702..a14691a9c 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,7 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, /usr/share/nvidia/nvidia-application-profiles-* r, @@ -24,13 +24,17 @@ owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, @@ -43,6 +47,10 @@ # Nvidia graphics devices /dev/nvidia@{int} rw, + # Nvidia's Unified Memory driver + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + # Nvidia's control device /dev/nvidiactl rw, From 34cc1ab131ef8400a104a2b93131663f3e2f21e8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:42:10 +0200 Subject: [PATCH 140/184] feat(abs): graphics: limit access to cpu sys value. --- apparmor.d/abstractions/graphics | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 79872ceb4..c4edd09b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,14 +13,22 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/* r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, + @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, include if exists From 51bcdd5e148cc6f44c4ba560c8aede87e437531c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:43:40 +0200 Subject: [PATCH 141/184] feat(abs): add the input abs. --- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/common/game | 5 +---- apparmor.d/abstractions/input | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/abstractions/input diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index d0b36188b..70a50b8c1 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -26,6 +26,7 @@ include include include + include include include include @@ -72,8 +73,6 @@ @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @@ -143,8 +142,6 @@ owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 6b97b014c..753d4cf0b 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -17,6 +17,7 @@ include include include + include include include @@ -108,11 +109,7 @@ /dev/ r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, /dev/tty rw, - /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input new file mode 100644 index 000000000..57905fd0c --- /dev/null +++ b/apparmor.d/abstractions/input @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2022-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading and writing to raw input devices + + abi , + + # network netlink raw, + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/mice rw, + /dev/input/mouse@{int} rw, + + include if exists + +# vim:syntax=apparmor From 8c6b0ce33f12020f067d530e1927310eab721605 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:47:50 +0200 Subject: [PATCH 142/184] feat(profile): cleanup profiles using the new abs. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/common/app | 3 +++ apparmor.d/abstractions/common/game | 5 +---- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/steam/steam | 4 +--- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- 6 files changed, 8 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 725b57fca..efb108586 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -34,7 +34,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 70a50b8c1..043ed7125 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,8 +28,11 @@ include include include + include include include + include + include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 753d4cf0b..2198c8537 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -20,6 +20,7 @@ include include include + include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -67,9 +68,6 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -80,7 +78,6 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2800a4124..12c8e2e80 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -57,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index abfab75d7..e3fcb1931 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -41,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, @@ -245,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -353,8 +353,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/version r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 95013d8e0..33957504c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -11,6 +11,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists From ad406da5de2a886b916001956ee0ebc0fb463974 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:49:08 +0200 Subject: [PATCH 143/184] feat(abs): add org.freedesktop.portal.Settings. --- .../session/org.freedesktop.portal.Settings | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings new file mode 100644 index 000000000..01cf21c46 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=ReadAll + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor From 608ff3db0ce9dece45f437253af461ce5d49e5ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:50:01 +0200 Subject: [PATCH 144/184] fix(abs): ColorManager peer name. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 13d186898..46201fc23 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={FindDeviceByProperty,FindDeviceById} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), include if exists From 4bbe0a1a32072f0224d58d694614664bec56b505 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:55:32 +0200 Subject: [PATCH 145/184] feat(abs): use the new secrets-service abstraction. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-g-l/gitg | 2 +- apparmor.d/profiles-m-r/protonmail | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index efb108586..2b03d5011 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -40,6 +39,7 @@ include include include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 299d0738b..38122b7c0 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,12 +10,12 @@ include profile evolution-source-registry @{exec_path} { include include - include include include include include include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8278ac648..a86ef9e37 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,7 +27,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -43,6 +42,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 2f190dfab..3a643bad7 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,11 +15,11 @@ profile seahorse @{exec_path} { include include include - include include include include include + include include #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index ff5e12444..d668fbfd2 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 0ac23267b..f5548f696 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -17,8 +17,8 @@ include profile protonmail @{exec_path} flags=(attach_disconnected) { include include - include include + include network inet stream, network inet dgram, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 17ca1ec5a..23d13694e 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 56f5e91b8..8917fa3a2 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -23,7 +23,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -33,6 +32,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 3a3a77313..dc6e4825a 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -28,6 +27,7 @@ profile vlc @{exec_path} { include include include + include include include From ddfe75f23f4f661027a3e04c55f3f3911909aacc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:05:02 +0200 Subject: [PATCH 146/184] refractor(abs): move org.kde.StatusNotifierItem inside the session abs dir. --- .../bus/{ => session}/org.kde.StatusNotifierItem | 7 +------ apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/vlc | 1 + 3 files changed, 3 insertions(+), 7 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.StatusNotifierItem (79%) diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem similarity index 79% rename from apparmor.d/abstractions/bus/org.kde.StatusNotifierItem rename to apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index 87fd06727..d017d44e3 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -23,11 +23,6 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f7abf758b..ee8ee627b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -24,7 +24,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index dc6e4825a..7e9c31866 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -16,6 +16,7 @@ profile vlc @{exec_path} { include include include + include include include include From f199cfe84dbe28b50c3136c738a42f5939c57f3f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:06:51 +0200 Subject: [PATCH 147/184] feat(abs): app: minor improvement to common app action. --- apparmor.d/abstractions/common/app | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 043ed7125..a05bc2364 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -40,7 +40,7 @@ dbus bus=session, dbus bus=system, - /usr/** r, + /usr/** rk, /usr/share/** rk, /etc/{,**} r, @@ -85,6 +85,7 @@ @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, + @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -96,11 +97,13 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, From cd6bb7bd52c92085511aced5b6dcec89bf0278ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:09:31 +0200 Subject: [PATCH 148/184] feat(abs): add NEEDS-VARIABLE to abs using variable. Will be used by aa-logprof. --- apparmor.d/abstractions/app/chromium | 5 +++++ apparmor.d/abstractions/app/firefox | 4 ++++ apparmor.d/abstractions/common/app | 1 + apparmor.d/abstractions/common/bwrap | 1 + apparmor.d/abstractions/common/chromium | 1 + apparmor.d/abstractions/common/electron | 5 +++++ apparmor.d/abstractions/common/steam-game | 3 +++ 7 files changed, 20 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2b03d5011..62a8432ba 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,6 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 238bf9e8b..e0321f62f 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,6 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a05bc2364..5a93050d6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index da73b8217..2d3ab179f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 78441fe08..340092f23 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,6 +2,7 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/app/chromium instead. diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index b581c9073..253eab72b 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,6 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index b60e74a10..851588220 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: app_dirs +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: share_dirs abi , From 84f3f947cb343c81af50d2cc1868260c7c8ab846 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:11:18 +0200 Subject: [PATCH 149/184] feat(abs): improve chromium common. --- apparmor.d/abstractions/common/chromium | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 340092f23..23f4544a3 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -17,9 +17,14 @@ userns, + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -33,20 +38,22 @@ owner @{tmp}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/SS rw, /dev/shm/ r, owner /dev/shm/.@{domain}.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, From 31cbe5e2e9fdf0deaceb9bc2adee764809a68a6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:33:24 +0200 Subject: [PATCH 150/184] fix(profile): revert 06d476c fix #855 --- apparmor.d/groups/systemd/systemd-logind | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index c5e87b3e2..6b102829d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -137,7 +137,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, + /dev/dri/card@{int} rw, @{att}/dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From bd487d1b6653d0db9304873a9e52642b56b2f207 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:58:25 +0200 Subject: [PATCH 151/184] fear(profile): remove profile for spectre-meltdown-checker. --- .../profiles-s-z/spectre-meltdown-checker | 186 ------------------ 1 file changed, 186 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/spectre-meltdown-checker diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker deleted file mode 100644 index 6e5af1288..000000000 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ /dev/null @@ -1,186 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} -profile spectre-meltdown-checker @{exec_path} { - include - include - - # Needed to read the /dev/cpu/@{int}/msr device - capability sys_rawio, - - # Needed to read system logs - capability syslog, - - # Used by readlink - capability sys_ptrace, - ptrace (read), - - @{exec_path} r, - - @{bin}/ r, - @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/{,@{multiarch}-}readelf rix, - @{bin}/{,@{multiarch}-}strings rix, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/bunzip2 rix, - @{bin}/cat rix, - @{bin}/ccache rCx -> ccache, - @{bin}/cut rix, - @{bin}/date rix, - @{bin}/dd rix, - @{bin}/dirname rix, - @{bin}/dmesg rix, - @{bin}/find rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/head rix, - @{bin}/id rix, - @{sbin}/iucode_tool rix, - @{bin}/kmod rCx -> kmod, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/nproc rix, - @{bin}/od rix, - @{bin}/perl rix, - @{bin}/pgrep rCx -> pgrep, - @{sbin}/rdmsr rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/unzip rix, - @{bin}/xargs rix, - @{bin}/xz rix, - @{bin}/zstd rix, - - # To fetch MCE.db from the MCExtractor project - @{bin}/wget rCx -> mcedb, - @{bin}/sqlite3 rCx -> mcedb, - owner @{tmp}/mcedb-* rw, - owner @{tmp}/smc-* rw, - owner @{tmp}/{,smc-}intelfw-*/ rw, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, - - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{config,kernel}-* rw, - - owner /dev/cpu/@{int}/cpuid r, - owner /dev/cpu/@{int}/msr rw, - owner /dev/kmsg r, - - @{efi}/ r, - @{efi}/config r, - @{efi}/System.map-* r, - @{efi}/vmlinuz-* r, - - @{sys}/devices/system/cpu/vulnerabilities/* r, - @{sys}/module/kvm_intel/parameters/ept r, - - @{PROC}/ r, - @{PROC}/config.gz r, - @{PROC}/cmdline r, - @{PROC}/kallsyms r, - @{PROC}/modules r, - - # find and denoise - @{PROC}/@{pids}/{status,exe} r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/*/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - /etc/ r, - - profile ccache { - include - - @{bin}/ccache mr, - - @{lib}/llvm-[0-9]*/bin/clang rix, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - - /media/ccache/*/** rw, - - /etc/debian_version r, - - include if exists - } - - profile pgrep { - include - include - - include if exists - } - - profile mcedb { - include - include - include - include - - deny capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - @{bin}/sqlite3 mr, - - /etc/wgetrc r, - owner @{HOME}/.wget-hsts rwk, - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{,smc-}mcedb-* rwk, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - - /usr/share/publicsuffix/public_suffix_list.* r, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - owner @{sys}/module/cpuid/** r, - owner @{sys}/module/msr/** r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor From 4982ff104ddf57c7e92d4fcff5f33437bf71cbaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 12:03:00 +0200 Subject: [PATCH 152/184] feat(profile): remove rules not needed anymore Moved into the nvidia-strict abs. --- apparmor.d/profiles-m-r/nvidia-settings | 2 -- apparmor.d/profiles-m-r/nvidia-smi | 2 -- apparmor.d/profiles-m-r/nvtop | 3 +-- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 771bbb3b6..893770a4b 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -33,8 +33,6 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} r, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 1d6d62e2b..eb42bd59b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -26,8 +26,6 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index d0553d186..fc51b5b9e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -54,7 +54,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From 34aa208ec98f3baafd7042543f79929f5658dc91 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 16:11:16 +0200 Subject: [PATCH 153/184] refractor(abs): reorganize dbus abstraction (1) --- .../abstractions/bus/org.freedesktop.resolve1 | 16 ---------------- .../bus/{ => system}/org.freedesktop.locale1 | 3 +-- .../bus/{ => system}/org.gnome.DisplayManager | 4 ++-- apparmor.d/groups/flatpak/flatpak | 2 +- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/kde/startplasma | 2 +- 9 files changed, 9 insertions(+), 26 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.resolve1 rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.locale1 (70%) rename apparmor.d/abstractions/bus/{ => system}/org.gnome.DisplayManager (73%) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 deleted file mode 100644 index fe6d52dc6..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} - peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 similarity index 70% rename from apparmor.d/abstractions/bus/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index 1348c8a39..e2377a14b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -4,12 +4,11 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager similarity index 73% rename from apparmor.d/abstractions/bus/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/system/org.gnome.DisplayManager index 741631f4b..4833b1512 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,6 @@ member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index bd749db40..4ef675aef 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -13,7 +13,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 56fd3ce3f..adf2aa264 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,7 +11,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index c08d12a07..5d2e3e21e 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal receive set=(hup term) peer=gdm-session-worker, signal receive set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a86ef9e37..1fb7efd7d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -23,7 +23,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index cbb8ccf71..80f19f93a 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -14,7 +14,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index a8c8cbd13..64e332dc5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -12,7 +12,7 @@ profile startplasma @{exec_path} { include include include - include + include include include From 3c49755d189be4fa86c714b22ba5d175bf1901c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:52:37 +0200 Subject: [PATCH 154/184] refractor(abs): reorganize dbus abstraction (2) - new upower-observe abstraction --- apparmor.d/abstractions/app/chromium | 5 ++--- .../bus/{ => session}/org.gnome.ArchiveManager1 | 2 +- .../org.gnome.Nautilus.FileOperations2 | 2 +- .../bus/{ => system}/org.freedesktop.ColorManager | 4 ++-- .../bus/{ => system}/org.freedesktop.UPower | 2 +- apparmor.d/groups/cups/cupsd | 11 +---------- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/gnome/gnome-extension-ding | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 14 +++++++++++--- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/localsearch | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 4 ++-- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/sddm-greeter | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- 22 files changed, 37 insertions(+), 38 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.ArchiveManager1 (86%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Nautilus.FileOperations2 (76%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.ColorManager (90%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.UPower (94%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 62a8432ba..9c5b16edd 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -27,13 +27,11 @@ include include include - include + include include include - include include include - include include include include @@ -48,6 +46,7 @@ include include include + include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 similarity index 86% rename from apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 6bfa6114b..f69667e08 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -11,6 +11,6 @@ member=GetSupportedTypes peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 similarity index 76% rename from apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 rename to apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 index 178139a8d..8a3e7d74e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -6,6 +6,6 @@ #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager similarity index 90% rename from apparmor.d/abstractions/bus/org.freedesktop.ColorManager rename to apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager index 46201fc23..4b5dcc746 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -15,7 +15,7 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=CreateDevice + member={CreateProfile,CreateDevice,DeleteDevice} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager @@ -28,6 +28,6 @@ member={FindDeviceByProperty,FindDeviceById} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower similarity index 94% rename from apparmor.d/abstractions/bus/org.freedesktop.UPower rename to apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 64b400a3e..aa6a61371 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -29,6 +29,6 @@ member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 642d7ef5c..0a23ce476 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -12,7 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -46,15 +46,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=DeleteDevice - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=FindDeviceById - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 0f6f9abeb..83652914f 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 84d6675de..fc9029ef3 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -15,11 +15,12 @@ profile wireplumber @{exec_path} { include include include - include + include include include include include + include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index be7edcd79..e41718803 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,8 +19,8 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1fb7efd7d..d8853aa3b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -28,7 +28,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -45,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include capability sys_nice, capability sys_ptrace, @@ -73,17 +73,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting + # Talk with gnome-shell + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -95,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus @@ -102,7 +111,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # Session bus dbus send bus=session path=/org/gnome/** diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 7f02d8bf4..32869cdbc 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -16,7 +16,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0f77b023e..f3be82dfd 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index c041cdf99..66420cace 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,7 +11,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7f7a3a8e4..e7cdc1a38 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,7 +11,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 01706e649..f40c86e03 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -17,11 +17,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include include include include include + include capability wake_alarm, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index ddd14b5c2..192d3f957 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include - include + include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 45f0d43e9..cc9907266 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -18,7 +18,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include include @@ -31,6 +30,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include userns, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 08835eaf0..1b8930f06 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include + include include capability audit_write, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index c9aca546a..47383bb75 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} { include include include - include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index bcdcf108d..34284388e 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -17,7 +17,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 178bf28c6..e4e923159 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index b663865e8..4c27ee2ca 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, From 94444077a8be642422836617398638ebc6cafccc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:53:05 +0200 Subject: [PATCH 155/184] feat(profile): update attachement for gnome-extension-ding --- apparmor.d/groups/gnome/gnome-extension-ding | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e41718803..400b28b6e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,7 +9,7 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/{,app/}ding.js +@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js profile gnome-extension-ding @{exec_path} { include include From e4b6e7e92b80adbb548800663495a3e4e6c8117f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:10 +0200 Subject: [PATCH 156/184] feat(abs): add the devices-u2f abs. --- apparmor.d/abstractions/app/chromium | 4 +--- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/devices-u2f | 23 +++++++++++++++++++++++ 4 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/devices-u2f diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 9c5b16edd..1c504d2a8 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -36,6 +36,7 @@ include include include + include include include include @@ -154,9 +155,7 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/**/report_descriptor r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -181,7 +180,6 @@ owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e0321f62f..21534208f 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -31,6 +31,7 @@ include include include + include include include include @@ -164,7 +165,6 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5a93050d6..e83efdb89 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -21,6 +21,7 @@ include include include + include include include include @@ -148,7 +149,6 @@ @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, - /dev/hidraw@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f new file mode 100644 index 000000000..c707d66e0 --- /dev/null +++ b/apparmor.d/abstractions/devices-u2f @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to Universal 2nd Factor (U2F) devices + + abi , + + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + + # Needed for dynamic assignment of U2F devices + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/i2c*/**/report_descriptor r, + @{sys}/devices/**/usb@{int}/**/report_descriptor r, + + # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed + /dev/hidraw@{int} rw, + + include if exists + +# vim:syntax=apparmor From 939a2b7f4bd2068746b8be936fe5c66aa2140575 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:30 +0200 Subject: [PATCH 157/184] feat(abs): add upower-observe --- apparmor.d/abstractions/upower-observe | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 apparmor.d/abstractions/upower-observe diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe new file mode 100644 index 000000000..67478bb6d --- /dev/null +++ b/apparmor.d/abstractions/upower-observe @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8e73353cc8c2335dfbc92c1e0fdc7628ade4b904 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:09:16 +0200 Subject: [PATCH 158/184] feat(abs): add pcscd --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/pcscd | 19 +++++++++++++++++++ apparmor.d/groups/gnome/gsd-smartcard | 6 +++--- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-m-r/pkcs11-register | 3 +-- apparmor.d/profiles-m-r/rngd | 2 +- 7 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/pcscd diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1c504d2a8..6e447bf05 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -42,6 +42,7 @@ include include include + include include include include @@ -107,7 +108,6 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/{,opensc/}opensc.conf r, / r, owner @{HOME}/ r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 21534208f..7630b8576 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -37,6 +37,7 @@ include include include + include include include include @@ -80,7 +81,6 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd new file mode 100644 index 000000000..33a981279 --- /dev/null +++ b/apparmor.d/abstractions/pcscd @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows interacting with PC/SC Smart Card Daemon + + abi , + + # Configuration file for OPENSC + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + + # Socket for communication between PCSCD and PS/SC API library + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 98ce848ba..d42fb486b 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,13 +9,14 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -31,7 +32,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 3a643bad7..1fac28dfa 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -19,6 +19,7 @@ profile seahorse @{exec_path} { include include include + include include include @@ -34,7 +35,6 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 989f6ec8b..d775cafe5 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include + include @{exec_path} mr, - /etc/{,opensc/}opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index ebbf0a5ab..2e548d40c 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -12,6 +12,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, From 962b372390f837f7162f97fa78fbe4b24204af26 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 01:08:15 +0200 Subject: [PATCH 159/184] fix(profile): qemu-ga path on opensuse. --- apparmor.d/profiles-m-r/qemu-ga | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5173c50d8..f8fd84d3f 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin profile qemu-ga @{exec_path} { include From 2ceaa16d9a53027a77092739738ec0491e76c39a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:06:06 +0200 Subject: [PATCH 160/184] feat(abs): rewrite the avahi abs, add avahi-observe --- apparmor.d/abstractions/app/chromium | 3 +- apparmor.d/abstractions/avahi-observe | 25 +++++++++++++++ .../org.freedesktop.Avahi.AddressResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.DomainBrowser | 25 +++++++++++++++ .../org.freedesktop.Avahi.HostNameResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.RecordBrowser | 25 +++++++++++++++ .../bus/system/org.freedesktop.Avahi.Server | 31 +++++++++++++++++++ .../org.freedesktop.Avahi.ServiceBrowser | 23 ++++++++++++++ .../org.freedesktop.Avahi.ServiceResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.ServiceTypeBrowser | 25 +++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/avahi/avahi-browse | 8 ++--- apparmor.d/groups/avahi/avahi-resolve | 14 ++------- apparmor.d/groups/avahi/avahi-set-host-name | 3 ++ apparmor.d/groups/cups/cups-backend-dnssd | 2 +- apparmor.d/groups/cups/cups-browsed | 4 ++- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/cups/ippfind | 2 +- apparmor.d/groups/freedesktop/colord | 3 +- apparmor.d/groups/freedesktop/geoclue | 3 +- apparmor.d/groups/freedesktop/pulseaudio | 21 +++---------- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- .../gnome/gnome-control-center-goa-helper | 2 +- .../groups/gnome/gsd-print-notifications | 25 +++------------ apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 3 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- 30 files changed, 267 insertions(+), 71 deletions(-) create mode 100644 apparmor.d/abstractions/avahi-observe create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 6e447bf05..1635741ed 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,10 +25,9 @@ abi , include + include include include - include - include include include include diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe new file mode 100644 index 000000000..aac14fa7d --- /dev/null +++ b/apparmor.d/abstractions/avahi-observe @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows domain, record, service, and service type browsing as well as address, +# host and service resolving + + abi , + + include + + include + include + include + include + include + include + include + + @{run}/avahi-daemon/socket rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver new file mode 100644 index 000000000..f6a1a251c --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Address resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=AddressResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser new file mode 100644 index 000000000..39f5e4496 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=DomainBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver new file mode 100644 index 000000000..403a4db0f --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Hostname resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=HostNameResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser new file mode 100644 index 000000000..bff079b13 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Record browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server new file mode 100644 index 000000000..bfc87b3cc --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow service introspection + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + # Allow accessing DBus properties and resolving + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Get*,Resolve*,IsNSSSupportAvailable} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow receiving anything from the Avahi server + dbus receive bus=system + interface=org.freedesktop.Avahi.Server + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser new file mode 100644 index 000000000..6a3b1510d --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver new file mode 100644 index 000000000..d90e9ca14 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser new file mode 100644 index 000000000..93affdc51 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service type browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceTypeBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index e83efdb89..091cfbbb4 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -13,6 +13,7 @@ abi , include + include include include include @@ -73,7 +74,6 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 3ac729baa..805d54b2b 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,14 +11,10 @@ include profile avahi-browse @{exec_path} { include include - include + include + include include - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 1a66b4726..d45cffca3 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,19 +11,11 @@ include profile avahi-resolve @{exec_path} { include include - include + include + include + include include - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew} - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index dd9eaba6c..45df7ce93 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,8 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index 1009a0ef2..877200660 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 7330d67c9..1e47287ac 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -10,8 +10,10 @@ include profile cups-browsed @{exec_path} { include include - include include + include + include + include include include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 0a23ce476..ec0bbfd67 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -11,7 +11,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index c2a944b11..fe4347237 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -10,7 +10,7 @@ include profile ippfind @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index b3cda6307..c069b7afd 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,8 +11,9 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index fbc7a7582..04eeba521 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -11,9 +11,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include - include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index ce1dffd58..346ae7257 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,10 +14,12 @@ profile pulseaudio @{exec_path} { include include include - include - include include include + include + include + include + include include include include @@ -49,26 +51,11 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=ItemRemove - peer=(name=:*, label="@{p_avahi_daemon}"), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member={Found,Free} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c1f255c75..fafdea3a5 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -14,7 +14,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 8ef24e9ce..b4128b1af 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,11 +10,11 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1fa7d7050..21a326fe6 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index c5be27f27..5d037961f 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,11 +9,14 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include - include include include - include include + include + include + include + include + include include include @@ -38,24 +41,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member={CacheExhausted,ItemNew} - peer=(name=@{busname}, label=avahi-daemon), - dbus receive bus=system path=/Client4/RecordBrowser3 - interface=org.freedesktop.Avahi.RecordBrowser - member=ItemNew - peer=(name=@{busname}, label=avahi-daemon), - @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 1fac28dfa..96b60ab72 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,11 +9,11 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index ab786106c..a4eb42821 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,9 +12,10 @@ profile gvfsd-dnssd @{exec_path} { include include include - include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index de1c4a856..63f348f9b 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,11 +11,11 @@ include profile libreoffice @{exec_path} { include include + include include include include include - include include include include diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 2065dd814..e0bd8d976 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 23d13694e..90db69a13 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,11 +10,11 @@ include profile remmina @{exec_path} { include include + include include include include include - include include include include From 63c9c8cc2da2085d884e80ca42f9c624106367dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:11:23 +0200 Subject: [PATCH 161/184] refractor(abs): move org.kde.kwalletd --- apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd | 4 ++-- apparmor.d/abstractions/secrets-service | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd (50%) diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/org.kde.kwalletd rename to apparmor.d/abstractions/bus/session/org.kde.kwalletd index 1ae5a1ace..0afce1cdf 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/session/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service index 71b7c7d82..083672cc9 100644 --- a/apparmor.d/abstractions/secrets-service +++ b/apparmor.d/abstractions/secrets-service @@ -22,6 +22,7 @@ abi , include + include dbus send bus=session path=/org/gnome/keyring/daemon interface=org.gnome.keyring.Daemon From b471f8359a29e79d14f7e66648a136a85eaad3d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:14:18 +0200 Subject: [PATCH 162/184] feat(profile): update cups-browsed --- apparmor.d/groups/cups/cups-browsed | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 1e47287ac..ca1dc9630 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} { +profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include include @@ -18,9 +18,8 @@ profile cups-browsed @{exec_path} { include include -# capability net_admin, + capability net_admin, capability net_bind_service, -# capability sys_nice, network inet dgram, network inet6 dgram, @@ -28,20 +27,12 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=:*, label="@{p_avahi_daemon}"), + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={PrinterDeleted,PrinterStopped} - peer=(name=@{busname}, label=cups-notifier-dbus), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @@ -59,7 +50,7 @@ profile cups-browsed @{exec_path} { owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? + @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From d9ff4aecd757f41b5b8e401e20611ab3e18862dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:24:49 +0200 Subject: [PATCH 163/184] build: add test build target. --- Justfile | 8 ++++++++ pkg/prebuild/cli/cli.go | 6 ++++++ pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 4 files changed, 21 insertions(+) diff --git a/Justfile b/Justfile index 2c4c0e8d4..64e333079 100644 --- a/Justfile +++ b/Justfile @@ -65,11 +65,19 @@ build: enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in enforce mode (test) +enforce-test: build + @./{{build}}/prebuild --buildir {{build}} --test + # Prebuild the profiles in complain mode [group('build')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in complain mode (test) +complain-test: build + @./{{build}}/prebuild --buildir {{build}} --complain --test + # Prebuild the profiles in FSP mode [group('build')] fsp: build diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index bf768c050..afed5aedf 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -37,6 +37,7 @@ Options: -s, --server Set AppArmor for server. -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. + --test Enable test mode. --debug Enable debug mode. ` ) @@ -48,6 +49,7 @@ var ( full bool server bool debug bool + test bool abi int version float64 file string @@ -74,6 +76,7 @@ func init() { flag.StringVar(&buildir, "b", "", "Root build directory.") flag.StringVar(&buildir, "buildir", "", "Root build directory.") flag.BoolVar(&debug, "debug", false, "Enable debug mode.") + flag.BoolVar(&test, "test", false, "Enable test mode.") } func Configure() { @@ -118,6 +121,9 @@ func Configure() { if debug { builder.Register("debug") } + if test { + prebuild.Test = true + } } else if enforce { builder.Register("enforce") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index b6ec56816..ac632471b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,6 +43,10 @@ func filterRuleForUs(opt *Option) bool { return true } + if prebuild.Test && slices.Contains(opt.ArgList, "test") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 201d8c841..486a45d14 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -19,6 +19,9 @@ var ( // Either or not RBAC is enabled RBAC = false + // Either or not we are in test mode + Test = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From 4609595c26bcf1e129f885186784922762f73f5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:04 +0200 Subject: [PATCH 164/184] refractor(abs): common/apt -> apt. --- apparmor.d/abstractions/{common => }/apt | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-cache | 2 +- apparmor.d/groups/apt/apt-cdrom | 2 +- apparmor.d/groups/apt/apt-config | 2 +- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/apt-file | 2 +- apparmor.d/groups/apt/apt-forktracer | 2 +- apparmor.d/groups/apt/apt-helper | 2 +- apparmor.d/groups/apt/apt-mark | 2 +- apparmor.d/groups/apt/apt-show-versions | 2 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debtags | 2 +- apparmor.d/groups/apt/dpkg-checkbuilddeps | 2 +- apparmor.d/groups/apt/dpkg-db-backup | 2 +- apparmor.d/groups/apt/dpkg-maintscript-helper | 2 +- apparmor.d/groups/apt/querybts | 6 +++--- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/apt/update-apt-xapian-index | 2 +- apparmor.d/groups/grub/grub-sort-version | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/groups/ubuntu/apt-esm-hook | 2 +- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 +- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- apparmor.d/groups/ubuntu/list-oem-metapackages | 2 +- apparmor.d/groups/ubuntu/package-data-downloader | 2 +- apparmor.d/groups/ubuntu/software-properties-dbus | 2 +- apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pycompile | 4 ++-- 43 files changed, 46 insertions(+), 46 deletions(-) rename apparmor.d/abstractions/{common => }/apt (95%) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/apt similarity index 95% rename from apparmor.d/abstractions/common/apt rename to apparmor.d/abstractions/apt index bec8d9a20..2802ac2a8 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index ade8bee61..8581fe724 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 1251fe449..afd34f7e5 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a99b964c7..0ce146261 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 505a4b037..834bcbd8c 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index beb563f31..6fbfad65b 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index bc140acd1..6551f21a7 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 2fbb5d95b..3eec09d60 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index f16e98d2f..18b6d7241 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 4af469c30..c174267f5 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 16dc584b3..514b952ff 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include + include include include diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 9254be27d..b3f411c84 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index b42649d7c..6d09e34c0 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,7 +12,7 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 3e3fd2ab9..53e5964bd 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include + include include - include include #capability sys_tty_config, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 712a74e8c..297a45f84 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include + include include - include @{exec_path} r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup index d83bdbb45..8e99e70c5 100644 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/dpkg/dpkg-db-backup profile dpkg-db-backup @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index dfb881e32..aa9232c73 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -21,8 +21,8 @@ profile dpkg-maintscript-helper @{exec_path} { profile dpkg { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 2a2063d8e..87967d164 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include + include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a814eaaa9..a6584a23d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 36e299a0c..c48286299 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index ebdc88d08..d2da77bc3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,11 +10,11 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include include include include include - include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 1fb667fae..f7b94d68d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,10 +9,10 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include - include include include diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index f829ab3ff..6ea4f19fb 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include - include include @{exec_path} r, diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 5e65fe835..6ece8a60b 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 93c70329e..2ebc6a5fa 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include + include #aa:only apt include include include @@ -18,7 +19,6 @@ profile kded @{exec_path} { include include include - include #aa:only apt include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 2fa7bb92a..255dc551a 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,7 +9,7 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index d7480a212..b6815adea 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,12 +9,12 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include + include include include include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index a04fc771d..2555d0373 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2edc09970..e8f03807d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 9734803e4..91c8b29cc 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 65a19e0e0..d0e5c8f1e 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 2d3eebbc2..e9c4c9ab3 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index d5ad6e06c..c85fb9966 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 91bc4876f..5e4b09ce3 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include + include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 37f7f72a5..1703d27cd 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index cc7387709..72e016573 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index cd858737b..5111a0278 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,7 +17,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index ea9742d4c..4ede61bc8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 34284388e..d242ae0d6 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -18,7 +19,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 88967baf8..09775cb6f 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4c60b4aaf..70d980713 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include + include include include include @@ -16,7 +17,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 19f6a515e..e5b54c34e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include #aa:only apt include include include include - include #aa:only apt include include diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index c308dcd91..105264ec2 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include @@ -32,8 +32,8 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { profile dpkg { include + include include - include capability dac_read_search, From ff21c9157c4608f49f6aa7b12665fd02d0a3922b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:32 +0200 Subject: [PATCH 165/184] tests(profile): add common autopkgtest paths. --- apparmor.d/abstractions/apt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 2802ac2a8..25106ad6e 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,9 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists # vim:syntax=apparmor From bf3b8345fccd475b09da20ded1a9be6e32bd731a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:26:28 +0200 Subject: [PATCH 166/184] refractor(abs): move gtk bus interfaces. --- .../bus/session/org.gtk.MountOperationHandler | 14 ++++++++++++++ .../org.gtk.Private.RemoteVolumeMonitor | 2 +- .../bus/{ => session}/org.gtk.vfs.Daemon | 6 ++++-- .../bus/{ => session}/org.gtk.vfs.Metadata | 6 +++--- .../bus/session/org.gtk.vfs.MountOperation | 2 +- .../bus/{ => session}/org.gtk.vfs.MountTracker | 14 ++++++++------ .../abstractions/bus/session/org.gtk.vfs.Spawner | 14 ++++++++++++++ 7 files changed, 45 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Private.RemoteVolumeMonitor (91%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Daemon (72%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Metadata (80%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.MountTracker (89%) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler new file mode 100644 index 000000000..3fce0d719 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor index 9060c8c15..b8160dcb2 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon similarity index 72% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Daemon rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon index 93ad35fe5..edf954ac5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -1,7 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Each daemon (main and for mounts) implement this. + abi , dbus send bus=session path=/org/gtk/vfs/Daemon @@ -14,6 +16,6 @@ member=GetConnection peer=(name=@{busname}), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata similarity index 80% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Metadata rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata index ce6e60082..9f1a77daf 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -13,13 +13,13 @@ dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,Move,GetTreeFromDevice,Remove} - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation index ff8c928f8..54dfc837f 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -6,7 +6,7 @@ dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} + member={AskPassword,AskQuestion} peer=(name=@{busname}, label=gvfsd-*), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker similarity index 89% rename from apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index c455d4f18..107c3dc13 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,12 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# The mount tracking interface. - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), + abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker @@ -19,11 +16,16 @@ member=ListMounts2 peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner new file mode 100644 index 000000000..71c0dd157 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor From 5cae18e064f6f3a7eb47b9553af322c781fbb068 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:45:54 +0200 Subject: [PATCH 167/184] feat(abs): add the gtk-strict abstraction. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/abstractions/lxqt | 2 +- apparmor.d/abstractions/xfce | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/kde/gmenudbusmenuproxy | 1 - apparmor.d/groups/kde/kcminit | 1 - apparmor.d/groups/kde/kconf_update | 1 - apparmor.d/groups/kde/kded | 1 - apparmor.d/groups/kde/kwalletd | 1 - apparmor.d/profiles-m-r/obconf | 2 +- 13 files changed, 8 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 3bfbcc887..316e7374e 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -12,7 +12,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 4d2d390ee..a3afccb76 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3dece8578..3d4b47f9f 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index b448c542d..f00594038 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f20c24a32..ba7347d8c 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 3046c8f6d..eaf50f6d0 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 6e80839fe..0a7706fe1 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -14,7 +14,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { include include include - include + include capability dac_read_search, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index b30e39cdc..f63a83295 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -13,7 +13,6 @@ profile gmenudbusmenuproxy @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4f8b10a32..59f60c285 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -11,7 +11,6 @@ profile kcminit @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index ee42fef98..6a01748fd 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,7 +12,6 @@ profile kconf_update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ebc6a5fa..ec5a1ee36 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -23,7 +23,6 @@ profile kded @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index de175635a..baaad7dcb 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -17,7 +17,6 @@ profile kwalletd @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 7b11aaac5..d283466f5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include From 784ced0da32c3b380b01336f72a20c36de431c6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:08:44 +0200 Subject: [PATCH 168/184] feat(abs): reorganise the gtk/gvfs abs. --- .../abstractions/bus/session/org.gtk.vfs.Mountable | 14 ++++++++++++++ .../abstractions/bus/session/org.gtk.vfs.Spawner | 2 +- apparmor.d/abstractions/common/gnome | 1 - apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-dconf | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 1 - apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-x11 | 1 - apparmor.d/groups/flatpak/flatpak | 1 - .../groups/freedesktop/xdg-desktop-portal-gtk | 1 - .../xdg-desktop-portal-rewrite-launchers | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/deja-dup-monitor | 6 +++--- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-alarm-notify | 1 - apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gio-launch-desktop | 3 +-- apparmor.d/groups/gnome/gnome-calendar | 1 - apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-clocks | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - .../groups/gnome/gnome-control-center-goa-helper | 1 - .../gnome/gnome-control-center-search-provider | 1 - apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 7 +++---- apparmor.d/groups/gnome/gnome-extension-gsconnect | 8 ++++---- apparmor.d/groups/gnome/gnome-initial-setup | 1 - apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 5 ++--- apparmor.d/groups/gnome/gnome-terminal-server | 1 - apparmor.d/groups/gnome/goa-daemon | 1 - apparmor.d/groups/gnome/goa-identity-service | 2 +- apparmor.d/groups/gnome/gsd-color | 1 - apparmor.d/groups/gnome/gsd-housekeeping | 1 - apparmor.d/groups/gnome/gsd-keyboard | 1 - apparmor.d/groups/gnome/gsd-media-keys | 3 +-- apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/gsd-wacom | 1 - apparmor.d/groups/gnome/localsearch | 5 ++--- apparmor.d/groups/gnome/mutter-x11-frames | 1 - apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/ptyxis | 1 - apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gnome/seahorse | 1 - apparmor.d/groups/gnome/tracker-extract | 5 ++--- apparmor.d/groups/gnome/tracker-miner | 5 ++--- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/groups/ubuntu/check-new-release-gtk | 1 - apparmor.d/groups/ubuntu/livepatch-notification | 1 - apparmor.d/groups/ubuntu/software-properties-gtk | 1 - .../groups/ubuntu/ubuntu-advantage-notification | 1 - apparmor.d/groups/ubuntu/update-manager | 1 - apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/profiles-a-f/atril | 1 - apparmor.d/profiles-a-f/calibre | 1 - apparmor.d/profiles-a-f/engrampa | 3 +-- apparmor.d/profiles-a-f/file-roller | 2 -- apparmor.d/profiles-g-l/gimp | 1 + apparmor.d/profiles-g-l/libreoffice | 5 ++--- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 1 - apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/terminator | 1 - apparmor.d/profiles-s-z/virt-manager | 2 ++ 68 files changed, 57 insertions(+), 88 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable new file mode 100644 index 000000000..603ef709b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner index 71c0dd157..7090afe24 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index f0dd20f47..b9f36cf6c 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -10,7 +10,6 @@ include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 3fdab031b..b326138d6 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 817d63175..bac225ebc 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,7 +11,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index e900fc3f5..8bdc3c79c 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -11,7 +11,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 34d881a8a..0973fce49 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -12,7 +12,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 5233f8603..b1f1445b3 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,7 +10,7 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 698eeedb6..cf7b40190 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -13,7 +13,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4ef675aef..3fee701a8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -14,7 +14,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 9688df798..35199d859 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -18,7 +18,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 62adb343b..2fa8cc01f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index cf488af63..1b818267f 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -11,7 +11,6 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index a0fb366ab..59b3c5d40 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,9 +13,9 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index adf2aa264..1b9051a4a 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -13,7 +13,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 174cb323f..9f8c51a75 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -12,7 +12,6 @@ profile evolution-alarm-notify @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 2ee416bd9..87cce8fbc 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,8 +12,8 @@ profile evolution-calendar-factory @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 38122b7c0..0732646b5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,7 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index eb76f1207..3652dd6e9 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -19,8 +19,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 872fc6858..2173e3d62 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,7 +14,6 @@ profile gnome-calendar @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ce936e52..b5ae5672a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -12,7 +12,6 @@ profile gnome-characters @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index bdffedb72..92886c887 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -12,7 +12,6 @@ profile gnome-clocks @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b4128b1af..c27f32fec 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -16,7 +16,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 21a326fe6..aeb59295f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -14,7 +14,6 @@ profile gnome-control-center-goa-helper @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 51c8f5107..6d24e72c1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -11,7 +11,6 @@ profile gnome-control-center-search-provider @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 519a248d8..55d49e250 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -13,7 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 400b28b6e..f56af9f67 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -21,10 +21,9 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7af7b8b2f..8ac7830cc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,10 +21,10 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include - include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 40b8bc9b5..7f4b818e3 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -15,7 +15,6 @@ profile gnome-initial-setup @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d8853aa3b..55e95d006 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -29,7 +29,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 247436318..0b1602fbb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,7 +13,6 @@ profile gnome-software @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8bcb629a9..152b28ff7 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -10,9 +10,8 @@ include profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cda4568c1..7a9bad4da 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -14,7 +14,6 @@ profile gnome-terminal-server @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 8176d6c7c..b7c138285 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,6 @@ profile goa-daemon @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 3992811c2..4509a6159 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1b12a68cd..a0b3fac6b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -16,7 +16,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35714fa0b..8d8b9fc1b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -12,7 +12,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 80f19f93a..f4f2830b8 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -16,7 +16,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 32869cdbc..9f6f70fbc 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -18,8 +18,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f3be82dfd..a6165ddcf 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -22,7 +22,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 484dda29d..50da29b5f 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -14,7 +14,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 66420cace..ea1566757 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,9 +11,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 92e619e5c..f50bdbd9b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -13,7 +13,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index a91a154a7..07abe1c08 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -18,7 +18,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index ac47b5460..3195d7f03 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 2735e0c5d..6418193a6 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -10,7 +10,7 @@ include profile ptyxis-agent @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 96b60ab72..090a9cbe7 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,7 +15,6 @@ profile seahorse @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 3f9f49281..e200ecb42 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,8 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e7cdc1a38..85b7b0d53 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,9 +11,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index b6815adea..0cd509473 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -14,7 +14,6 @@ profile apport-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index d0e5c8f1e..5df19d897 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -13,7 +13,6 @@ profile check-new-release-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 4d5ecb46a..e003054a5 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -12,7 +12,6 @@ profile livepatch-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 5111a0278..2f6398f1e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -16,7 +16,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index bf3d4c6c0..093fdbed7 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -12,7 +12,6 @@ profile ubuntu-advantage-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d242ae0d6..a874ca346 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -18,7 +18,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 70d980713..f66345b67 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -15,7 +15,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 284c35911..c95f6be55 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -13,7 +13,6 @@ profile atril @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index bba3dfedb..60843b0a6 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -16,7 +16,6 @@ profile calibre @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index c302ff400..8137edd8d 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -13,8 +13,7 @@ profile engrampa @{exec_path} { include include include - include - include + include include include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 5ec394807..3d13b813f 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 67b625d62..ad324e153 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,6 +11,7 @@ profile gimp @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63f348f9b..bc6516fc2 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,9 +18,8 @@ profile libreoffice @{exec_path} { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 90db69a13..b8b361e12 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,7 @@ profile remmina @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 158ea6a7f..18e3fc248 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -18,7 +18,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8917fa3a2..f3c4acf4f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -24,7 +24,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index ee8ee627b..a7adf91fa 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -23,7 +23,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 59c78396d..e9baf97e1 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,7 +13,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index f820d2953..9802ecd5a 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,6 +16,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include From 1fba94a197d93e9032a4f99dbe46eca3afaba671 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:14:30 +0200 Subject: [PATCH 169/184] feat(profile): update gvfs services to the abs changes. --- .../groups/gvfs/gvfs-afc-volume-monitor | 2 +- .../groups/gvfs/gvfs-goa-volume-monitor | 4 +-- .../groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- .../groups/gvfs/gvfs-mtp-volume-monitor | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 4 +-- apparmor.d/groups/gvfs/gvfsd | 8 +++-- apparmor.d/groups/gvfs/gvfsd-admin | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afc | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp-browse | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-archive | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-burn | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-cdda | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-computer | 9 ++++++ apparmor.d/groups/gvfs/gvfsd-dav | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-dnssd | 26 +++-------------- apparmor.d/groups/gvfs/gvfsd-ftp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-fuse | 16 ++++------ apparmor.d/groups/gvfs/gvfsd-google | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-gphoto2 | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-http | 24 +++++---------- apparmor.d/groups/gvfs/gvfsd-localtest | 3 ++ apparmor.d/groups/gvfs/gvfsd-metadata | 6 +++- apparmor.d/groups/gvfs/gvfsd-mtp | 16 ++++++++-- apparmor.d/groups/gvfs/gvfsd-network | 26 +++-------------- apparmor.d/groups/gvfs/gvfsd-nfs | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-recent | 19 +++--------- apparmor.d/groups/gvfs/gvfsd-sftp | 29 ++++++------------- apparmor.d/groups/gvfs/gvfsd-smb | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-smb-browse | 18 +++++------- apparmor.d/groups/gvfs/gvfsd-trash | 22 ++++---------- apparmor.d/groups/gvfs/gvfsd-wsdd | 24 +++------------ 32 files changed, 237 insertions(+), 166 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 7f50d8b45..32136d710 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -17,7 +17,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 3f2fb0138..017a66e84 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -17,12 +17,12 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index dd03254b1..ece97e688 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 6fbbc6092..fd3b38012 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -20,7 +20,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 4ed214b71..80f7f86a9 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -35,7 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c124c5855..e3e3edfae 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,20 +18,22 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker + # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), + # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 44248cbe3..5a1fd1c82 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, #aa:lint ignore=too-wide diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 68d4b689e..da231f469 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index eeaaec059..db6fe5a48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 48680f12f..a39e25785 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 918841320..68b1e7765 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,9 +10,20 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include + include + include + include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index b70fa7110..09062241a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 0648f5dc0..356f8dcd3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 6eebca738..667b448c4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,9 +11,18 @@ include profile gvfsd-computer @{exec_path} { include include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 77e1a2f6f..b335724cb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include + include + include + include + include include include include @@ -24,6 +28,13 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index a4eb42821..aad9de3a0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,32 +12,14 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 5b7c833a5..3b36fc4f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include + include + include + include include include include @@ -20,6 +24,13 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 4741b0f31..f67068f49 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,7 +11,9 @@ include profile gvfsd-fuse @{exec_path} { include include - include + include + include + include include capability sys_admin, @@ -20,21 +22,13 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterFuse - peer=(name=@{busname}, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-sftp), - @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index eb80f3a7a..819e84c39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 688f03c27..0544000c0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index f51ef2afe..2678bde40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,9 +11,11 @@ include profile gvfsd-http @{exec_path} { include include - include + include + include + include include - include + # include include include include @@ -25,25 +27,15 @@ profile gvfsd-http @{exec_path} { network netlink raw, unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index 5ffbabb40..d1af3c60c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include + include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index f6f3820bb..8565856d9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,9 @@ include profile gvfsd-metadata @{exec_path} { include include + include + include + include include network netlink raw, @@ -18,11 +21,12 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 3c747b8b3..8d5ad78c5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include + include + include + include + include include include include @@ -19,10 +23,18 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 46f543fa4..7874686bc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,38 +11,20 @@ include profile gvfsd-network @{exec_path} { include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 575d9de39..aae859d73 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,12 +10,23 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include + include + include + include + include include network inet stream, network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 1219c8cbd..ca59d75cd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,27 +11,16 @@ include profile gvfsd-recent @{exec_path} { include include - include - include + include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 1019a1525..862ef88aa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,32 +11,21 @@ include profile gvfsd-sftp @{exec_path} { include include - include + include + include + include include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=@{busname}, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=@{busname}, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} - interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} - peer=(name=@{busname}), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 24891e9c3..9d99a43af 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index a90cddc50..66099563e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,7 +11,9 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include + include + include + include include include include @@ -23,16 +25,12 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index e13f870c7..070c41a84 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,7 +11,9 @@ include profile gvfsd-trash @{exec_path} { include include - include + include + include + include include include include @@ -21,26 +23,12 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 7f4c20718..4ea39c7d0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,32 +11,16 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include + include + include + include include network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-network), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From 14ec69cd150a8926d52c5e9495edb46e37923c5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:38:02 +0200 Subject: [PATCH 170/184] profile(abs): rewrite the way we manage accessibility - Add some missing dbus access - Split bus access in abstractions - Use trough the new accessibility abs. --- apparmor.d/abstractions/accessibility | 15 +++++ .../abstractions/bus/accessibility/org.a11y | 65 +++++++++++++++++++ apparmor.d/abstractions/bus/org.a11y | 63 ------------------ apparmor.d/abstractions/bus/session/org.a11y | 29 +++++++++ 4 files changed, 109 insertions(+), 63 deletions(-) create mode 100644 apparmor.d/abstractions/accessibility create mode 100644 apparmor.d/abstractions/bus/accessibility/org.a11y delete mode 100644 apparmor.d/abstractions/bus/org.a11y create mode 100644 apparmor.d/abstractions/bus/session/org.a11y diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility new file mode 100644 index 000000000..5bd8c98e7 --- /dev/null +++ b/apparmor.d/abstractions/accessibility @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI + + abi , + + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y new file mode 100644 index 000000000..0145fc494 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/org.a11y @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow the accessibility services in the user session to send us any events + + dbus receive bus=accessibility + peer=(label="@{p_at_spi2_registryd}"), + + # Allow querying for capabilities and registering + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member=NotifyListenersSync + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + # org.a11y.atspi is not designed for application isolation and these rules + # can be used to send change events for other processes. + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Event.Object + member=ChildrenChanged + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Accessible + member=Get* + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.a11y.atspi.Event.Object + member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/cache + interface=org.a11y.atspi.Cache + member={AddAccessible,RemoveAccessible} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y deleted file mode 100644 index c99f5f8bd..000000000 --- a/apparmor.d/abstractions/bus/org.a11y +++ /dev/null @@ -1,63 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Accessibility bus - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - # Session bus - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y new file mode 100644 index 000000000..8f517fe99 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.a11y @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor From af6fbd2bfdf5a7d158a08f159c534867f5ccc1d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:15:43 +0200 Subject: [PATCH 171/184] feat(profile): set accessibility use. --- apparmor.d/abstractions/accessibility | 2 +- apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/app/open | 4 +--- apparmor.d/abstractions/common/app | 2 -- apparmor.d/abstractions/common/gnome | 2 -- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 3 ++- apparmor.d/abstractions/xfce | 1 + apparmor.d/groups/bluetooth/blueman | 1 - apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 -- apparmor.d/groups/bus/ibus-x11 | 2 -- apparmor.d/groups/flatpak/flatpak | 2 -- .../groups/freedesktop/polkit-gnome-authentication-agent | 1 - .../groups/freedesktop/polkit-kde-authentication-agent | 2 -- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 -- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 -- apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/evolution-alarm-notify | 2 -- apparmor.d/groups/gnome/gnome-control-center | 2 -- apparmor.d/groups/gnome/gnome-control-center-goa-helper | 2 -- .../groups/gnome/gnome-control-center-print-renderer | 2 -- apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 -- apparmor.d/groups/gnome/gnome-extension-ding | 2 -- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 -- apparmor.d/groups/gnome/gnome-initial-setup | 2 -- apparmor.d/groups/gnome/gnome-session-binary | 2 -- apparmor.d/groups/gnome/gnome-shell | 3 --- apparmor.d/groups/gnome/gnome-terminal-server | 2 -- apparmor.d/groups/gnome/gsd-color | 2 -- apparmor.d/groups/gnome/gsd-keyboard | 2 -- apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/gnome/gsd-power | 2 -- apparmor.d/groups/gnome/gsd-wacom | 2 -- apparmor.d/groups/gnome/gsd-xsettings | 2 -- apparmor.d/groups/gnome/loupe | 2 -- apparmor.d/groups/gnome/mutter-x11-frames | 2 -- apparmor.d/groups/gnome/nautilus | 2 -- apparmor.d/groups/gnome/seahorse | 2 -- apparmor.d/groups/kde/DiscoverNotifier | 2 -- apparmor.d/groups/kde/baloorunner | 2 -- apparmor.d/groups/kde/gmenudbusmenuproxy | 2 -- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/kde-powerdevil | 2 -- apparmor.d/groups/kde/kded | 4 +--- apparmor.d/groups/kde/kglobalacceld | 2 -- apparmor.d/groups/kde/konsole | 2 -- apparmor.d/groups/kde/kscreen_backend_launcher | 2 -- apparmor.d/groups/kde/ksmserver | 1 - apparmor.d/groups/kde/ksmserver-logout-greeter | 2 -- apparmor.d/groups/kde/ksplashqml | 2 -- apparmor.d/groups/kde/kstart | 1 - apparmor.d/groups/kde/kwalletd | 2 -- apparmor.d/groups/kde/kwin_wayland | 2 -- apparmor.d/groups/kde/kwin_x11 | 1 - apparmor.d/groups/kde/plasmashell | 2 -- apparmor.d/groups/kde/systemsettings | 2 -- apparmor.d/groups/kde/xembedsniproxy | 2 -- apparmor.d/groups/lxqt/lxqt-globalkeysd | 1 - apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/network/mullvad-gui | 2 -- apparmor.d/groups/systemd/busctl | 2 -- apparmor.d/groups/ubuntu/apport-gtk | 2 -- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 -- apparmor.d/groups/ubuntu/livepatch-notification | 2 -- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage-notification | 2 -- apparmor.d/groups/ubuntu/update-manager | 2 -- apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/groups/xfce/thunar | 1 - apparmor.d/groups/xfce/thunar-volman | 1 - apparmor.d/groups/xfce/xfce-clipman-settings | 1 - apparmor.d/groups/xfce/xfce-notifyd | 1 - apparmor.d/groups/xfce/xfce-panel | 1 - apparmor.d/groups/xfce/xfce-power-manager | 1 - apparmor.d/groups/xfce/xfce-screensaver | 1 - apparmor.d/groups/xfce/xfce-session | 1 - apparmor.d/groups/xfce/xfce-terminal | 1 - apparmor.d/groups/xfce/xfdesktop | 1 - apparmor.d/groups/xfce/xfsettingsd | 1 - apparmor.d/groups/xfce/xfwm | 1 - apparmor.d/profiles-a-f/alacarte | 2 -- apparmor.d/profiles-a-f/atril | 7 +------ apparmor.d/profiles-a-f/calibre | 2 -- apparmor.d/profiles-a-f/engrampa | 2 -- apparmor.d/profiles-a-f/evince | 2 -- apparmor.d/profiles-a-f/evince-previewer | 2 +- apparmor.d/profiles-g-l/kerneloops-applet | 2 -- apparmor.d/profiles-g-l/libreoffice | 2 -- apparmor.d/profiles-m-r/qbittorrent | 2 -- apparmor.d/profiles-m-r/remmina | 2 -- apparmor.d/profiles-m-r/rustdesk | 2 -- apparmor.d/profiles-s-z/YACReaderLibrary | 1 - apparmor.d/profiles-s-z/simple-scan | 2 -- apparmor.d/profiles-s-z/spice-vdagent | 2 -- apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/superproductivity | 2 -- apparmor.d/profiles-s-z/terminator | 2 -- apparmor.d/profiles-s-z/transmission | 2 -- apparmor.d/profiles-s-z/virt-manager | 2 -- apparmor.d/profiles-s-z/vlc | 3 --- apparmor.d/profiles-s-z/wireshark | 1 - 106 files changed, 14 insertions(+), 185 deletions(-) diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility index 5bd8c98e7..894ee467e 100644 --- a/apparmor.d/abstractions/accessibility +++ b/apparmor.d/abstractions/accessibility @@ -2,7 +2,7 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow communication with Assistive Technology Service Provider Interface (AT-SPI +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) abi , diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7630b8576..0648e68d1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -22,7 +22,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 3d91de235..8dffc39b9 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,8 +7,8 @@ abi , + include include - include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -31,8 +31,6 @@ # if @{DE} == kde include - include - include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 091cfbbb4..28badc6db 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -14,10 +14,8 @@ include include - include include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index b9f36cf6c..6dcb26860 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,9 +6,7 @@ abi , - include include - include include include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 316e7374e..66742f02a 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,6 +9,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index a3afccb76..47efde306 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index f00594038..17952414c 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index ba7347d8c..8d83aefdc 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,8 +4,9 @@ abi , - include + include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index eaf50f6d0..c7e464236 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 469fb24a0..08a553c1d 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,7 +11,6 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c254fcd2d..910ae0008 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -11,7 +11,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 0973fce49..2fa49e50f 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index cf7b40190..ce1c2b108 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,9 +10,7 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 3fee701a8..341db555e 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index f1ca0fd31..bb48d0c5b 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -13,7 +13,6 @@ include profile polkit-gnome-authentication-agent @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 5e7a75a8d..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index fafdea3a5..031f03ac4 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index b6c77f336..95daf2935 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 35199d859..d1ae86e15 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 1b818267f..feb1b9bd6 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 9f8c51a75..501685b22 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c27f32fec..9f78fb4fd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,10 +11,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index aeb59295f..8b813d260 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -10,10 +10,8 @@ include profile gnome-control-center-goa-helper @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 59679deb8..cbd1f1a75 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 55d49e250..d9959691b 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f56af9f67..9f848be8e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -13,11 +13,9 @@ include profile gnome-extension-ding @{exec_path} { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8ac7830cc..2592eb77e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,10 +13,8 @@ include profile gnome-extension-gsconnect @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7f4b818e3..7439e0fb6 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f4c61c5c6..5359a70df 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 55e95d006..a82278a6c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,15 +10,12 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include include include include - include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 7a9bad4da..fe380dadd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,9 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a0b3fac6b..0acdbaf38 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,10 +10,8 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index f4f2830b8..b700a7df9 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,10 +10,8 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9f6f70fbc..3ca105656 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,10 +10,8 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a6165ddcf..d20ad65d0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,11 +10,9 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 50da29b5f..0bb1d50d1 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,9 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 7618dc3b6..84abb82e0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index cabcca062..ea55ee902 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index f50bdbd9b..d5c83a31b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -10,9 +10,7 @@ include profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 07abe1c08..d3906051c 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,11 +9,9 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 090a9cbe7..c34526ee1 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -10,10 +10,8 @@ include profile seahorse @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 0965396ab..b5e1b4ae8 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,10 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 64372f497..33660a776 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index f63a83295..dbca9fcf5 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 8258d1bde..1fdb4b920 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,9 +10,7 @@ include profile kaccess @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index ead285e5f..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,7 +11,6 @@ include profile kactivitymanagerd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f40c86e03..7d6daeda6 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,10 +11,8 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ec5a1ee36..678c64e71 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -11,14 +11,12 @@ profile kded @{exec_path} { include include #aa:only apt include - include include include - include - include include include include + include include include include diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index b9c09d0c6..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include - include include - include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index fa55e177d..446d8a08d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,9 +11,7 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 00b4c9630..e44ee1f83 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index f4d54c295..09a228e29 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,7 +11,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e46237c2a..711da6e9d 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index ea80e28cd..770625988 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index fa0f88f75..04d084d0c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index baaad7dcb..0a685d8e5 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,9 +11,7 @@ include profile kwalletd @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index e2e3ecfe0..224835ac2 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,10 +10,8 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index ac80b3b18..8cc233ff2 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index cc9907266..600d1be48 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,10 +11,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index a78225b67..9558a6528 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,9 +10,7 @@ include profile systemsettings @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 93259822e..5c36f579e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 8729b1abb..a9a75aa90 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-globalkeysd profile lxqt-globalkeysd @{exec_path} { include - include include include diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 085b444b1..910ea7c5f 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -11,7 +11,6 @@ include profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 639d3ce4b..132e25e6d 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,9 +15,7 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include - include include network inet stream, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 04ed76e72..eed7080f8 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0cd509473..6d90cadda 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -11,9 +11,7 @@ profile apport-gtk @{exec_path} { include include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 5df19d897..2b7b2b4ee 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,9 +10,7 @@ include profile check-new-release-gtk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index e003054a5..fb8eb259e 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 2f6398f1e..836adbb55 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -11,10 +11,8 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 093fdbed7..a44e226bc 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index a874ca346..873f06b67 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,10 +11,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index f66345b67..06e851b45 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,10 +11,8 @@ profile update-notifier @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 2fcd83048..10096bce2 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index fc73a14c9..41e098548 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 9e74d8046..021a377b8 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include - include include include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index c594b8ed3..be813a84d 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,7 +10,6 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index b04ed2eb9..00c5d8700 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 91be9eede..11ccca455 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -10,7 +10,6 @@ include profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 2c0f13bc1..e9e19cca5 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index beddcce1f..be0f5c73d 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -11,7 +11,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 8d2f06a75..0f8836326 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ff36e8459..6bc5ec15c 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,7 +10,6 @@ include profile xfdesktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 22db3f80d..d3f88c196 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,7 +10,6 @@ include profile xfsettingsd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index 7ecd2c8fe..c41e5254f 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index b4cfb56e6..87908dc9e 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index c95f6be55..55502dd3e 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,18 +10,13 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include - include include include - include - include - include + include include include include - include network netlink raw, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 60843b0a6..281d15718 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,9 +12,7 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 8137edd8d..3e650962f 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,9 +10,7 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index e07c91f3d..d6969807f 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 1597c35af..dcd28ddc9 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 758ead716..d9d556879 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include include include - include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index bc6516fc2..cc2ee8c2a 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -12,10 +12,8 @@ profile libreoffice @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 5d9cba087..e0d430443 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index b8b361e12..80e58fd7c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -11,10 +11,8 @@ profile remmina @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index acdad5640..3e6791ddc 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,9 +10,7 @@ include profile rustdesk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 38336fbc7..e6c231df3 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index f79b284fb..a005708db 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/simple-scan profile simple-scan @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 18e3fc248..2af3f99ae 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,10 +11,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f3c4acf4f..a3c4b822a 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,11 +17,9 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include - include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index a7adf91fa..b84322ae0 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,10 +16,8 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e9baf97e1..e8a2533b9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -10,9 +10,7 @@ include profile terminator @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 78d67787d..9c4a8e673 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9802ecd5a..92dc977d9 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,10 +12,8 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 7e9c31866..bda3010fa 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,10 +11,7 @@ include profile vlc @{exec_path} { include include - include include - include - include include include include diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index c29543d6b..a07d6bad1 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,7 +11,6 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include From efa28446f930af3032645b0b9e3197f2d439e6e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:23:43 +0200 Subject: [PATCH 172/184] feat(abs): add bus-session to electron As it is a layer 2 abstraction, we can safelly add it. --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/network/mullvad-gui | 1 - apparmor.d/profiles-a-f/cider | 8 ++------ apparmor.d/profiles-a-f/discord | 1 - apparmor.d/profiles-a-f/element-desktop | 1 - apparmor.d/profiles-a-f/freetube | 1 - apparmor.d/profiles-m-r/protonmail | 1 - apparmor.d/profiles-s-z/session-desktop | 1 - apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- 11 files changed, 5 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 253eab72b..dd4976f5e 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -20,6 +20,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 132e25e6d..133e4bc00 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,7 +15,6 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include network inet stream, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 2b203e989..be59811a1 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -15,15 +15,11 @@ include @{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include - include - include + include + include include - include include include - include - include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index e12c25b9d..0991a243e 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,7 +17,6 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index f87486af3..59cfa3577 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -16,7 +16,6 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 958f9b5ee..be75567cd 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,6 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index f5548f696..8a6a2982e 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -16,7 +16,6 @@ include @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* profile protonmail @{exec_path} flags=(attach_disconnected) { include - include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index cafccd791..4fd9dff69 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -16,7 +16,6 @@ include profile session-desktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 4abe053f6..53f3d20b1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -17,7 +17,7 @@ include profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3c4b822a..f70d4e7c9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,7 +17,6 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index b84322ae0..838944aa8 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,7 +16,7 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From 59bdb157cf260eb2dd46651e063c2e226bbe401f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:00:12 +0200 Subject: [PATCH 173/184] feat(abs): add the mediakeys abs. --- .../bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys | 0 apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-s-z/spotify | 4 +--- 3 files changed, 2 insertions(+), 4 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys (100%) diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys rename to apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index d6969807f..89087df4b 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -16,6 +16,7 @@ profile evince @{exec_path} { include include include + include include include include @@ -28,7 +29,6 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f70d4e7c9..052757da2 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -18,14 +18,12 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include - include include - include include include include + include include include include From 4526e96318610985fd66ff7cd5626a63410666da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:03:22 +0200 Subject: [PATCH 174/184] feat(abs): add the gtk-strict abs. --- apparmor.d/abstractions/gtk-strict | 74 ++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 apparmor.d/abstractions/gtk-strict diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict new file mode 100644 index 000000000..0bf0ab41c --- /dev/null +++ b/apparmor.d/abstractions/gtk-strict @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-3.0/ r, + /usr/share/gtk-3.0/settings.ini r, + + /usr/share/gtk-4.0/ r, + /usr/share/gtk-4.0/settings.ini r, + + /etc/gtk/gtkrc r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-3.0/ r, + /etc/gtk-3.0/*.conf r, + /etc/gtk-3.0/settings.ini r, + + /etc/gtk-4.0/ r, + /etc/gtk-4.0/*.conf r, + /etc/gtk-4.0/settings.ini r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + + owner @{user_cache_dirs}/gtk-4.0/ rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, + owner @{user_cache_dirs}/gtkrc r, + owner @{user_cache_dirs}/gtkrc-2.0 r, + + owner @{user_config_dirs}/gtk-2.0/ rw, + owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, + + owner @{user_config_dirs}/gtk-3.0/ rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, + owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_config_dirs}/gtk-3.0/settings.ini r, + owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, + + owner @{user_config_dirs}/gtk-4.0/ rw, + owner @{user_config_dirs}/gtk-4.0/bookmarks r, + owner @{user_config_dirs}/gtk-4.0/colors.css r, + owner @{user_config_dirs}/gtk-4.0/gtk.css r, + owner @{user_config_dirs}/gtk-4.0/servers r, + owner @{user_config_dirs}/gtk-4.0/settings.ini r, + owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + + include if exists + +# vim:syntax=apparmor From f3a4372966569d58fd20addc9c2d00a493af85f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:08:51 +0200 Subject: [PATCH 175/184] refractor(profile): bus/org.bluez -> bus/system/org.bluez. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/bus/{ => system}/org.bluez | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 3 +-- apparmor.d/profiles-s-z/spotify | 1 + 10 files changed, 10 insertions(+), 9 deletions(-) rename apparmor.d/abstractions/bus/{ => system}/org.bluez (96%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1635741ed..313f51687 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -31,6 +31,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez similarity index 96% rename from apparmor.d/abstractions/bus/org.bluez rename to apparmor.d/abstractions/bus/system/org.bluez index 461ad9f94..acaa7bb36 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -36,6 +36,6 @@ member=RegisterApplication peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 346ae7257..206958062 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -16,7 +16,7 @@ profile pulseaudio @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d58385831..201e49f3c 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,7 +11,7 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index fc9029ef3..90eb46dc4 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -12,10 +12,9 @@ profile wireplumber @{exec_path} { include include include - include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a82278a6c..f46a8461d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,6 +27,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2959441c4..fca80465d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -11,7 +11,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 8447bff3e..65793364d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,7 +11,7 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 2f31aea79..3a5dfffb6 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -11,8 +11,7 @@ profile mpris-proxy @{exec_path} { include include include - include - include + include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 dbus receive bus=session path=/ diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 052757da2..d1a60a8c7 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,6 +21,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include From 48aeefa0a306efd28dfa5c83fa73e2e14639ea13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:13:37 +0200 Subject: [PATCH 176/184] fix: linting issue. --- .../abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys index 3a461a85a..93d830828 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys +++ b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys @@ -18,6 +18,6 @@ interface=org.gnome.SettingsDaemon.MediaKeys peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - include if exists + include if exists # vim:syntax=apparmor From 5559670a37d611bcb053f26a6d0588498442b97f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:37:47 +0200 Subject: [PATCH 177/184] feat(abs): add mediakeys --- apparmor.d/abstractions/mediakeys | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 apparmor.d/abstractions/mediakeys diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys new file mode 100644 index 000000000..ecf839cda --- /dev/null +++ b/apparmor.d/abstractions/mediakeys @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8c66d39a1e64c721ebb6f6c1421922d70abc0e3c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:39:38 +0200 Subject: [PATCH 178/184] feat(profile): merge dpkg-script-* profile into dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 74 --------------------- apparmor.d/groups/apt/dpkg-script-kmod | 18 ----- apparmor.d/groups/apt/dpkg-script-linux | 56 ---------------- apparmor.d/groups/apt/dpkg-script-systemd | 77 ---------------------- apparmor.d/groups/apt/dpkg-scripts | 5 +- 5 files changed, 4 insertions(+), 226 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-apparmor delete mode 100644 apparmor.d/groups/apt/dpkg-script-kmod delete mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-systemd diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor deleted file mode 100644 index 73a4f6c46..000000000 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: merge with dpkg-scripts - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/apparmor* -profile dpkg-script-apparmor @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/{,e}grep ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/mkdir ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-divert ix, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/apparmor_parser Px, - - /usr/share/apparmor.d/** rw, - - /etc/apparmor.d/** rw, - - /var/lib/dpkg/diversions rw, - /var/lib/dpkg/diversions-new rw, - /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, - - /var/lib/dpkg/info/*.list r, - /var/lib/dpkg/info/format r, - /var/lib/dpkg/status r, - /var/lib/dpkg/triggers/File r, - /var/lib/dpkg/triggers/Unincorp r, - /var/lib/dpkg/updates/ r, - /var/lib/dpkg/updates/@{int} r, - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - capability dac_override, - capability dac_read_search, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent rix, - - @{run}/user/@{uid}/systemd/ask-password/ rw, - @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, - - owner @{run}/systemd/ask-password/ rw, - owner @{run}/systemd/ask-password-block/{,*} rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod deleted file mode 100644 index f900bba17..000000000 --- a/apparmor.d/groups/apt/dpkg-script-kmod +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/kmod* -profile dpkg-script-kmod @{exec_path} { - include - - @{exec_path} mrix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux deleted file mode 100644 index af578be50..000000000 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/linux* -profile dpkg-script-linux @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/cat ix, - @{bin}/mkdir ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/stty ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/systemctl Cx -> systemctl, - - /usr/share/{update,reboot}-notifier/notify-reboot-required Px, - /etc/kernel/{,header_}postinst.d/* Px, - /etc/kernel/postrm.d/* Px, - /etc/kernel/preinst.d/* Px, - /etc/kernel/prerm.d/* Px, - - /etc/kernel/*.d/ r, - - @{lib}/linux/triggers/* w, - @{lib}/modules/*/.fresh-install w, - - profile systemctl { - include - include - - capability net_admin, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd deleted file mode 100644 index 6c76e6f70..000000000 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/systemd* -profile dpkg-script-systemd @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{coreutils_path} rix, - @{bin}/bootctl Px, - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Cx -> dpkg, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/journalctl Px, - @{bin}/kernel-install mrPx, - @{bin}/systemctl Cx -> systemctl, - @{bin}/systemd-machine-id-setup Px, - @{bin}/systemd-sysusers Px, - @{bin}/systemd-tmpfiles Px, - @{lib}/systemd/systemd-sysctl Px, - @{sbin}/pam-auth-update Px, - - /etc/systemd/system/*.wants/ rw, - /etc/systemd/system/*.wants/* rw, - - /etc/pam.d/sed@{rand6} rw, - /etc/pam.d/common-password rw, - - @{efi}/ r, - - /var/lib/systemd/{,*} rw, - /var/log/journal/ rw, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index acde577de..2434c9db9 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -63,8 +63,10 @@ profile dpkg-scripts @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* w, + @{sbin}/ r, + @{sbin}/* w, @{lib}/ r, - @{lib}/** w, + @{lib}/** wl -> @{lib}/**, /opt/*/** rw, #aa:lint ignore=too-wide @@ -80,6 +82,7 @@ profile dpkg-scripts @{exec_path} { /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + /tmp/updateppds.@{rand6} rw, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, From d2e941163fb0221c0ddc1e99a492e65e490dc364 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:43:39 +0200 Subject: [PATCH 179/184] feat(abs): add mpris --- .../{ => session}/org.mpris.MediaPlayer2.Player | 4 ++-- apparmor.d/abstractions/mpris | 17 +++++++++++++++++ apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/vlc | 4 +--- 4 files changed, 21 insertions(+), 8 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.mpris.MediaPlayer2.Player (89%) create mode 100644 apparmor.d/abstractions/mpris diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player similarity index 89% rename from apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player rename to apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index d71b7ac1e..b2b934074 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +33,6 @@ member=Seeked peer=(name=org.freedesktop.DBus), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris new file mode 100644 index 000000000..f06c8560e --- /dev/null +++ b/apparmor.d/abstractions/mpris @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow operating as an MPRIS player. + + abi , + + include + + # Allow binding to the well-known DBus mpris interface based on the app's name + # See: https://specifications.freedesktop.org/mpris-spec/latest/ + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index d1a60a8c7..b04432e39 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -35,8 +36,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys @@ -46,7 +45,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { member=RetrieveSecret peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mrix, @{sh_path} mr, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index bda3010fa..05866296d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -22,6 +22,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -35,9 +36,6 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc - #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined - @{exec_path} mrix, @{open_path} rPx -> child-open-help, From 5492ab1c4ecef1c09b007bbe05c29eee1c4faa7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:48:25 +0200 Subject: [PATCH 180/184] feat(profile): rewrite the gjs profile. --- apparmor.d/groups/gnome/gjs | 133 ++++++++++++++++++++++++ apparmor.d/groups/gnome/gjs-console | 108 ------------------- apparmor.d/groups/gnome/gnome-extension | 29 ++++++ apparmor.d/groups/gnome/gnome-shell | 2 +- 4 files changed, 163 insertions(+), 109 deletions(-) create mode 100644 apparmor.d/groups/gnome/gjs delete mode 100644 apparmor.d/groups/gnome/gjs-console create mode 100644 apparmor.d/groups/gnome/gnome-extension diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs new file mode 100644 index 000000000..f726ab66b --- /dev/null +++ b/apparmor.d/groups/gnome/gjs @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. +# +# Therefore, by default, some extension are confined under this profile. To fix +# this, the various programs using gjs must never run gjs as module, they need +# to run it as executable with a specific script. +# +# This currently concerns: +# - gnome-extension-ding (used to not be started as a module) +# - org.gnome.ScreenSaver (simple dbus service) +# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) +# - org.gnome.Shell.Notifications (simple dbus service) +# - org.gnome.Shell.Screencast (simple dbus service) + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + # Only needed by org.gnome.Shell.Extensions + include + include + + # Only needed by gnome-extension-ding + include + include + include + include + include + include + include + include + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm, + + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + + @{exec_path} mrix, + + # gnome-extension-ding + @{sh_path} rix, + @{bin}/env rix, + @{bin}/gnome-control-center rPx, + @{bin}/nautilus rPx, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/dri/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gstreamer { + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console deleted file mode 100644 index 6d6d6ea85..000000000 --- a/apparmor.d/groups/gnome/gjs-console +++ /dev/null @@ -1,108 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. Therefore, by default, some extension are -# confined under this profile. The resulting profile is quite broad. -# This architecture needs to be rethinked. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs-console @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm*, - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell.Extensions - member=ListExtensions - peer=(name=:*, label=gnome-shell), - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/* PUx, - @{lib}/** PUx, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /etc/openni2/OpenNI.ini r, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/thumbnailers/{,**} r, - - /tmp/ r, - /var/tmp/ r, - - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{HOME}/ r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/tty rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension new file mode 100644 index 000000000..e13eca832 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# gjs started from gnome-shell should (in theory) only run gnome extensions. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gnome-extension { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f46a8461d..24c069e72 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -162,7 +162,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, @{bin}/flatpak rPx, - @{bin}/gjs-console rPx, + @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/sensors rPx, From b76fe7c3429e4323834953d2e2d08e1b65e8a244 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:57:37 +0200 Subject: [PATCH 181/184] refractor(profile): move org.gnome.SessionManager This is the stage 1 of rewriting access to the session manager. --- apparmor.d/abstractions/app/chromium | 2 +- .../{ => session}/org.gnome.SessionManager | 22 +++++++++---------- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- .../groups/gnome/gsd-print-notifications | 1 - apparmor.d/groups/gnome/gsd-printer | 5 +++-- apparmor.d/groups/gnome/gsd-rfkill | 2 +- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 4 ++-- apparmor.d/groups/gnome/gsd-usb-protection | 3 +++ apparmor.d/groups/gnome/gsd-wacom | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 5 ++--- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/totem | 2 +- 31 files changed, 45 insertions(+), 45 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SessionManager (61%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 313f51687..dcb29fecb 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,7 +30,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager similarity index 61% rename from apparmor.d/abstractions/bus/org.gnome.SessionManager rename to apparmor.d/abstractions/bus/session/org.gnome.SessionManager index a532b67f2..4c641776b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -1,48 +1,46 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# FIXME: Too large, restrict it. - abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 26311b575..fec6d7897 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -13,7 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 910ae0008..c9b9a1538 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -12,7 +12,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d1ae86e15..b7906c5e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -14,7 +14,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 595b3fd48..e39ef0dc0 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -15,7 +15,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 34ce2884d..22aaba164 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,7 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 0acdbaf38..1a52321b1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -13,7 +13,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index af1784e68..0364f3f2b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,7 +10,7 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 8d8b9fc1b..497462a03 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index b700a7df9..be27a873e 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -13,7 +13,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3ca105656..b299ab7ff 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -15,7 +15,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d20ad65d0..d3ac6b456 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -19,7 +19,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 5d037961f..22ec520cb 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -11,7 +11,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index b85a40f04..a768c8d1e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 5f1c13d9d..7283c5c00 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -15,7 +15,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 546a252d7..ac2f9229d 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -11,7 +11,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b6d90d5e3..9d432ae13 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,7 +12,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index d42fb486b..5143b9984 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,7 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 2b64ddf06..ff2d30766 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -12,8 +12,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 59e67d9bf..bcdb353a8 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,6 +10,9 @@ include profile gsd-usb-protection @{exec_path} { include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 0bb1d50d1..3d4f2cb05 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -11,7 +11,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 84abb82e0..20151eec0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -13,10 +13,9 @@ profile gsd-xsettings @{exec_path} { include include include - include + include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d3906051c..c405a3bf8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -15,7 +15,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 255dc551a..211dda9cc 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -11,7 +11,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 89087df4b..10b5ad4af 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -12,7 +12,7 @@ profile evince @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 78781ba28..16bafb886 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,7 +11,7 @@ include profile filezilla @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index be75567cd..b820f249c 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,7 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index cc2ee8c2a..7e4feed45 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -15,7 +15,7 @@ profile libreoffice @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 838944aa8..f812fc570 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,7 +20,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d8b464956..d1e429d45 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,7 +10,7 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From e6e0cc07102a54a8557c155ffb817b0608339a48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:59:12 +0200 Subject: [PATCH 182/184] fix(profile): missing updated bus abstraction paths. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 3 +-- apparmor.d/groups/virt/libvirtd | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 95daf2935..30b415204 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -14,8 +14,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 23e8e20d1..378449352 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,7 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include From 6a77b7ed8b9683ebcaf92470b64cc33deca9b9d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 21:07:43 +0200 Subject: [PATCH 183/184] fix(profile): missing updated bus abstraction paths. --- apparmor.d/abstractions/mediakeys | 2 +- apparmor.d/groups/gnome/gjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys index ecf839cda..d9aafa764 100644 --- a/apparmor.d/abstractions/mediakeys +++ b/apparmor.d/abstractions/mediakeys @@ -8,7 +8,7 @@ abi , - include + include include if exists diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index f726ab66b..de9d25a14 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -115,7 +115,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include - include + include include network (bind create getattr setopt getopt) netlink raw, From 9db6bf4a3583a94d4109e0b0eb9d95e121fc8119 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Sep 2025 20:42:35 +0200 Subject: [PATCH 184/184] feat(abs): add the themes abs. fix #860 --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 1 + apparmor.d/abstractions/themes | 14 ++++++++++++++ apparmor.d/abstractions/xfce | 1 + 6 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/themes diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 66742f02a..c4abbd574 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -18,6 +18,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 47efde306..227377f3a 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 17952414c..79e97b23f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 8d83aefdc..913ab3eb3 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -10,6 +10,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes new file mode 100644 index 000000000..13fe70bc6 --- /dev/null +++ b/apparmor.d/abstractions/themes @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/themes/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{user_share_dirs}/themes/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index c7e464236..df13363fc 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,6 +8,7 @@ include include include + include include include include