From 4286b5330ca33335f957501cadfb776d516e3464 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 22:50:59 +0000 Subject: [PATCH 1/6] xfce, updates --- apparmor.d/groups/apt/dpkg-preconfigure | 7 +++++++ apparmor.d/groups/children/child-dpkg-divert | 1 + apparmor.d/groups/display-manager/lightdm | 11 +++++++++++ .../polkit-gnome-authentication-agent | 8 ++++++++ apparmor.d/groups/freedesktop/polkitd | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 2 +- apparmor.d/groups/grub/grub-mkconfig | 1 + apparmor.d/groups/grub/grub-probe | 1 + apparmor.d/groups/gvfs/gvfsd-computer | 3 +++ apparmor.d/groups/gvfs/gvfsd-wsdd | 3 +++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/network/wg | 1 + apparmor.d/groups/network/wg-quick | 1 + apparmor.d/groups/systemd/systemd-hwdb | 4 ++-- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/xfce/startxfce | 4 ++++ apparmor.d/groups/xfce/thunar | 9 +++++++++ apparmor.d/groups/xfce/thunar-volman | 2 ++ apparmor.d/groups/xfce/tumblerd | 15 +++++++++++++++ apparmor.d/groups/xfce/xfce-clipman-settings | 4 ++++ apparmor.d/groups/xfce/xfce-notifyd | 5 +++++ apparmor.d/groups/xfce/xfce-panel | 18 +++++++++++++++++- apparmor.d/groups/xfce/xfce-power-manager | 7 +++++++ apparmor.d/groups/xfce/xfce-screensaver | 4 ++++ apparmor.d/groups/xfce/xfce-session | 11 +++++++++++ apparmor.d/groups/xfce/xfce-terminal | 11 +++++++++++ apparmor.d/groups/xfce/xfconfd | 5 ++++- apparmor.d/groups/xfce/xfdesktop | 10 ++++++++++ apparmor.d/groups/xfce/xfsettingsd | 6 ++++++ apparmor.d/groups/xfce/xfwm | 2 ++ apparmor.d/profiles-a-f/blueman | 2 ++ apparmor.d/profiles-a-f/blueman-mechanism | 1 + apparmor.d/profiles-a-f/filezilla | 2 ++ apparmor.d/profiles-g-l/iceauth | 2 +- apparmor.d/profiles-g-l/im-launch | 1 + apparmor.d/profiles-g-l/libreoffice | 9 +++++++-- apparmor.d/profiles-m-r/mkinitramfs | 1 + apparmor.d/profiles-m-r/mount-cifs | 2 ++ apparmor.d/profiles-m-r/nemo | 5 +++++ apparmor.d/profiles-m-r/remmina | 6 ++++++ apparmor.d/profiles-m-r/run-parts | 2 ++ apparmor.d/profiles-s-z/su | 2 ++ .../profiles-s-z/system-config-printer-applet | 3 +++ apparmor.d/profiles-s-z/xarchiver | 1 + 44 files changed, 190 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 34163333b..eb022b3cb 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,6 +30,9 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/sort rix, @{bin}/stty rix, @{bin}/tr rix, + @{bin}/head rix, + @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @@ -37,11 +40,14 @@ profile dpkg-preconfigure @{exec_path} { @{lib}/apt/apt-extracttemplates rPx, /usr/share/debconf/confmodule r, + /usr/share/dictionaries-common/{,*} r, + /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, /etc/inputrc r, /etc/shadow r, + /etc/X11/Xwrapper.config r, owner @{tmp}/*.template.* rw, owner @{tmp}/*.config.* rwPUx, @@ -54,6 +60,7 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, + owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 6ea41a9e8..ddfff5fc2 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -22,6 +22,7 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf0..a70779fc4 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,6 +37,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, + unix (bind) type=stream addr="@@{hex}/bus/lightdm/system", + + dbus (bind) bus=system name=org.freedesktop.DisplayManager, + @{exec_path} mrix, @{bin}/rm rix, @@ -45,6 +50,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -52,6 +58,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /etc/lightdm/Xsession rPx, /etc/X11/Xsession rPx, + @{sh_path} rix, + @{bin}/{,e,f}grep rix, + @{bin}/df rix, + /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, @@ -81,6 +91,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 94bc7ece6..e488272ca 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,11 +12,19 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include + include + include + include include include + signal (send) set=(term) peer=polkit-agent-helper, + @{exec_path} mr, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 5e3d3ee78..5b630a15a 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -31,6 +31,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-admin-identities rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 92cbd369e..8df82b290 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -36,7 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, /usr/share/gnome-system-monitor/{,**} r, - /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 2a60d69c5..1ff23f1fe 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -65,6 +65,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, + /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 80d517deb..2e2d9232b 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -27,6 +27,7 @@ profile grub-probe @{exec_path} { / r, /boot/ r, + /boot/grub/ r, /boot/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index e756c8440..f72fc17c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include + include + + dbus (bind) bus=session name=org.gtk.vfs.mountpoint_@{int}, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index f971b5f6a..1b0dc2cc2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include + include network netlink raw, + dbus (bind) bus=session name=org.gtk.vfs.mountpoint_wsdd, + @{exec_path} mr, @{bin}/env r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1bb2de231..39c68fda9 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -105,6 +105,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/ r, /etc/iproute2/* r, /etc/machine-id r, + /etc/netplan/90-NM-@{uuid}.yaml w, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 781a52f7a..57e6ec769 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg profile wg @{exec_path} { include + include capability net_admin, capability net_bind_service, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c7ea6b1bd..5c4a5579b 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg-quick profile wg-quick @{exec_path} { include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 9b6203e92..ae64274c6 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f52a2fc6c..0ba3be209 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -79,7 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/.#hwdb.bin* rw, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, /etc/udev/hwdb.bin rw, /etc/modprobe.d/ r, diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 8d91581cb..110da187b 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -19,6 +19,7 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, + @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -27,6 +28,8 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, + owner @{HOME}/.Xdefaults r, + profile systemctl flags=(attach_disconnected) { include include @@ -36,6 +39,7 @@ profile startxfce @{exec_path} { profile dbus { include + include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d8f04d49c..629fc2b4b 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} { include + include + include include include include @@ -17,6 +19,10 @@ profile thunar @{exec_path} { network netlink raw, + dbus (bind) bus=session name=org.xfce.Thunar, + dbus (bind) bus=session name=org.xfce.FileManager, + dbus (bind) bus=session name=org.freedesktop.FileManager1, + @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -30,6 +36,7 @@ profile thunar @{exec_path} { /etc/fstab r, /etc/timezone r, + /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -50,6 +57,8 @@ profile thunar @{exec_path} { deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/mountinfo r, profile dbus { diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 350255834..fc73a14c9 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include + include + include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 99971abb8..db90af4c5 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -9,18 +9,33 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include + include + include + include + include + include + include include include include + dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1, + dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1, + dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1, + @{exec_path} mr, + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, + owner /tmp/tumbler-@{rand6}.png r, + owner /tmp/tumbler-@{rand6}.??? w, + owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 248d60b7e..2c777a0a1 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,8 +9,12 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include + include + include include + dbus (bind) bus=session name=org.xfce.clipman.settings, + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index f5c80e07c..d8ef2a9e0 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,6 +10,8 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include + include + include include include include @@ -22,6 +24,9 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, + dbus (bind) bus=session name=org.xfce.Notifyd, + dbus (bind) bus=session name=org.freedesktop.Notifications, + @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 7b192ffc5..d2a9cdbf6 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,12 +9,22 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include + include + include + include + include + include include include include include include + ptrace (read) peer=xfce-terminal, + + dbus (bind) bus=session name=org.xfce.Panel, + dbus (bind) bus=session name=org.kde.StatusNotifierWatcher, + @{exec_path} mr, @{bin}/exo-open rix, @@ -26,6 +36,7 @@ profile xfce-panel @{exec_path} { @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -33,15 +44,20 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/xfce4/{,**} r, + /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, + owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + profile root { include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 1c2a0263d..4f3199a9e 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -9,9 +9,16 @@ include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include + dbus (bind) bus=session name=org.xfce.PowerManager, + dbus (bind) bus=session name=org.freedesktop.PowerManagement, + @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e486ac6d9..911cc1b9f 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,11 +9,15 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include + include + include include include include include + dbus (bind) bus=session name=org.xfce.ScreenSaver, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 17007122e..6db8277d7 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include include @@ -16,6 +20,8 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, + dbus (bind) bus=session name=org.xfce.SessionManager, + @{exec_path} mr, @{sh_path} rix, @@ -33,6 +39,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, + @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -48,11 +55,15 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, + @{sys}/class/i2c-adapter/ r, + /dev/tty rw, profile systemctl flags=(attach_disconnected) { diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index d0d895c5a..46a17ca7f 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include + include + include include include include @@ -16,6 +19,10 @@ profile xfce-terminal @{exec_path} { include include + signal (send), + + dbus (bind) bus=session name=org.xfce.Terminal5, + @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -28,7 +35,10 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{bin}/vim{,.basic} rPUx, + /usr/share/ r, + /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -36,6 +46,7 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, + owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 0ab17ac5c..de82191a7 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -10,11 +10,14 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include + include include + dbus (bind) bus=session name=org.xfce.Xfconf, + @{exec_path} mr, - /etc/xdg/xfce4/xfconf/** r, + /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index d19e3de63..ed7d18ddc 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -9,15 +9,25 @@ include @{exec_path} = @{bin}/xfdesktop profile xfdesktop @{exec_path} { include + include + include + include + include include include include include + dbus (bind) bus=session name=org.xfce.xfdesktop, + @{exec_path} mr, @{bin}/xfce4-mime-helper rix, + /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, + /etc/xdg/menus/{,*.menu} r, + /usr/share/xfce4/helpers/{,*.desktop} r, + /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 3eec3377f..b2f783390 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,8 +10,14 @@ include profile xfsettingsd @{exec_path} { include include + include + include + include + include include + dbus (bind) bus=session name=org.xfce.SettingsDaemon, + @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index d7af2ccb9..7ecd2c8fe 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include + include + include include include include diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 08a553c1d..7a2b4530f 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -11,6 +11,7 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -61,6 +62,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, + deny @{lib}/python3/dist-packages/blueman/__pycache__/** w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index aae5d53cd..bb6c6cdf7 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index be734ed50..4463ac581 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -29,6 +29,7 @@ profile filezilla @{exec_path} { network netlink raw, signal send set=(term, kill) peer=fzsftp, + signal send set=(term, kill) peer=fzputtygen, @{exec_path} mr, @@ -36,6 +37,7 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol + @{bin}/fzputtygen rPUx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index 03c8650dd..d46374984 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -16,7 +16,7 @@ profile iceauth @{exec_path} { owner @{tmp}/.xfsm-ICE-@{rand6} r, owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index c5c4aa276..04abb7e0c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -22,6 +22,7 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, + @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 03dfe9749..11773c911 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,6 +11,7 @@ include profile libreoffice @{exec_path} { include include + include include include include @@ -67,11 +68,14 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, - /etc/java{,@{version}}-openjdk/{,**} r, + /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + /etc/papersize r, /etc/xdg/* r, + owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, + owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, @@ -90,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw, owner @{run}/user/@{uid}/#@{int} rw, @@ -99,6 +103,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6585f6382..00fdc5cf0 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -43,6 +43,7 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 190db34da..6000f6334 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -10,10 +10,12 @@ include @{exec_path} = @{bin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include + include include capability sys_admin, capability setpcap, + capability dac_read_search, network inet dgram, network inet stream, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index e3edb99c3..c7c9160d7 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -21,7 +21,12 @@ profile nemo @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open, + + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/nemo/** r, + /usr/share/thumbnailers/{,*.thumbnailer} r, # Full access to user's data / r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index f59880046..44b18cf42 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -22,6 +22,7 @@ profile remmina @{exec_path} { include include include + include include include include @@ -29,6 +30,8 @@ profile remmina @{exec_path} { network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, network netlink raw, #aa:dbus own bus=session name=org.remmina.Remmina @@ -58,6 +61,9 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..dca0fbe63 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -247,6 +247,8 @@ profile run-parts @{exec_path} { @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, + @{sys}/module/compression r, + @{PROC}/devices r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 02a212150..8d717274d 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -27,6 +27,8 @@ profile su @{exec_path} { @{bin}/nologin rPx, @{etc_ro}/default/su r, + /etc/default/locale r, + /etc/environment r, @{HOME}/.xauth@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0197e3c3b..99cdbc996 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include + include include include @@ -29,6 +30,8 @@ profile system-config-printer-applet @{exec_path} { /dev/tty rw, + deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w, + include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..1e0d75fd0 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -55,6 +55,7 @@ profile xarchiver @{exec_path} { /home/ r, #owner @{HOME}/ r, #owner @{HOME}/** rw, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, From c04ee92d26ff0846da2e6d7332cb0135eb3bb374 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:06:56 +0000 Subject: [PATCH 2/6] xfce, new profiles --- .../groups/display-manager/lightdm-session | 23 ++++++++++ .../groups/freedesktop/pkla-admin-identities | 20 +++++++++ .../profiles-g-l/gdk-pixbuf-thumbnailer | 15 +++++++ apparmor.d/profiles-s-z/ucf | 45 +++++++++++++++++++ 4 files changed, 103 insertions(+) create mode 100644 apparmor.d/groups/display-manager/lightdm-session create mode 100644 apparmor.d/groups/freedesktop/pkla-admin-identities create mode 100644 apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer create mode 100644 apparmor.d/profiles-s-z/ucf diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session new file mode 100644 index 000000000..fda263a8a --- /dev/null +++ b/apparmor.d/groups/display-manager/lightdm-session @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lightdm-session +profile lightdm-session @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/im-launch rPx, + + @{sh_path} rix, + @{bin}/mktemp rix, + @{bin}/expr rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities new file mode 100644 index 000000000..0fa176db5 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-admin-identities +profile pkla-admin-identities @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/polkit-1/localauthority.conf.d/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer new file mode 100644 index 000000000..99ffb6dad --- /dev/null +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer +profile gdk-pixbuf-thumbnailer @{exec_path} { + include + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf new file mode 100644 index 000000000..52d65e0c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucf @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucf +profile ucf @{bin}/ucf { + include + include + + @{exec_path} mr, + + @{bin}/dpkg-query rPx, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, + /usr/share/debconf/frontend rPx, + + @{sh_path} rix, + @{bin}/perl rix, + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/getopt rix, + @{bin}/id rix, + @{bin}/readlink rix, + @{bin}/sed rix, + @{bin}/tr rix, + @{bin}/{,e,f}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/md5sum rix, + @{bin}/cp rix, + + /etc/ucf.conf r, + /etc/libreoffice/registry/** r, + + /var/lib/ucf/hashfile r, + + /usr/share/debconf/confmodule r, + + owner /tmp/tmp.@{rand10} r, + + include if exists +} + +# vim:syntax=apparmor From bb3bbb492b7fd83af869daa047b1b1a30d9f87c7 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:10:29 +0000 Subject: [PATCH 3/6] xfce, proper abi --- apparmor.d/groups/freedesktop/pkla-admin-identities | 2 +- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities index 0fa176db5..973de2be3 100644 --- a/apparmor.d/groups/freedesktop/pkla-admin-identities +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 99ffb6dad..1fd7d9e12 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 52d65e0c5..5f810269a 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include From e749145544a52b99d6dedf34610bfea583749778 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:10:50 +0000 Subject: [PATCH 4/6] xfce, flags --- dists/flags/main.flags | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a1a1b6a7..27cb94d22 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -113,6 +113,7 @@ flatpak-validate-icon complain fstrim complain fuse-overlayfs complain fusermount complain +gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain @@ -217,6 +218,7 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain +lightdm-session complain locale-gen complain localectl complain login attach_disconnected,complain @@ -251,6 +253,7 @@ pam-tmpdir-helper complain passimd attach_disconnected,complain pidof complain pkttyagent complain +pkla-admin-identities complain plank complain plasma_waitforname complain plasma-browser-integration-host complain @@ -348,6 +351,7 @@ systemsettings complain telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain +ucf complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain From 39b38b9ee50c021eadf93dc3162d8d2d05e91752 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Thu, 23 Jan 2025 00:13:29 +0000 Subject: [PATCH 5/6] Adapt to RO root --- apparmor.d/groups/network/NetworkManager | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 39c68fda9..cb2e1c9c7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -105,11 +105,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/ r, /etc/iproute2/* r, /etc/machine-id r, - /etc/netplan/90-NM-@{uuid}.yaml w, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, + @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, From 45f5689d6aa62d1fc3a12f3e49587023c6709b06 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Fri, 24 Jan 2025 21:48:31 +0000 Subject: [PATCH 6/6] xfce, fixes --- apparmor.d/groups/display-manager/lightdm | 4 ++-- apparmor.d/groups/gvfs/gvfsd-computer | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/xfce/thunar | 6 +++--- apparmor.d/groups/xfce/tumblerd | 9 +++------ apparmor.d/groups/xfce/xfce-clipman-settings | 2 +- apparmor.d/groups/xfce/xfce-notifyd | 4 ++-- apparmor.d/groups/xfce/xfce-panel | 4 ++-- apparmor.d/groups/xfce/xfce-power-manager | 4 ++-- apparmor.d/groups/xfce/xfce-screensaver | 2 +- apparmor.d/groups/xfce/xfce-session | 2 +- apparmor.d/groups/xfce/xfce-terminal | 4 ++-- apparmor.d/groups/xfce/xfconfd | 2 +- apparmor.d/groups/xfce/xfdesktop | 3 +-- apparmor.d/groups/xfce/xfsettingsd | 2 +- apparmor.d/profiles-a-f/blueman | 1 - apparmor.d/profiles-s-z/system-config-printer-applet | 2 -- apparmor.d/profiles-s-z/xarchiver | 1 - 18 files changed, 24 insertions(+), 32 deletions(-) diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index a70779fc4..67b789906 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -37,9 +37,9 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, - unix (bind) type=stream addr="@@{hex}/bus/lightdm/system", + unix (bind) type=stream addr="@@{udbus}/bus/lightdm/system", - dbus (bind) bus=system name=org.freedesktop.DisplayManager, + #aa:dbus own bus=system name=org.freedesktop.DisplayManager @{exec_path} mrix, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index f72fc17c7..0a520d138 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -12,7 +12,7 @@ profile gvfsd-computer @{exec_path} { include include - dbus (bind) bus=session name=org.gtk.vfs.mountpoint_@{int}, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 1b0dc2cc2..b88d36b18 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -13,7 +13,7 @@ profile gvfsd-wsdd @{exec_path} { network netlink raw, - dbus (bind) bus=session name=org.gtk.vfs.mountpoint_wsdd, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 629fc2b4b..77379c54f 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -19,9 +19,9 @@ profile thunar @{exec_path} { network netlink raw, - dbus (bind) bus=session name=org.xfce.Thunar, - dbus (bind) bus=session name=org.xfce.FileManager, - dbus (bind) bus=session name=org.freedesktop.FileManager1, + #aa:dbus own bus=session name=org.xfce.Thunar + #aa:dbus own bus=session name=org.xfce.FileManager + #aa:dbus own bus=session name=org.freedesktop.FileManager1 @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index db90af4c5..d47be7e98 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -12,16 +12,13 @@ profile tumblerd @{exec_path} { include include include - include - include - include include include include - dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1, - dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1, - dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1, + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 2c777a0a1..9e74d8046 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -13,7 +13,7 @@ profile xfce-clipman-settings @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.clipman.settings, + #aa:dbus own bus=session name=org.xfce.clipman.settings @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index d8ef2a9e0..c594b8ed3 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -24,8 +24,8 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, - dbus (bind) bus=session name=org.xfce.Notifyd, - dbus (bind) bus=session name=org.freedesktop.Notifications, + #aa:dbus own bus=session name=org.xfce.Notifyd + #aa:dbus own bus=session name=org.freedesktop.Notifications @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index d2a9cdbf6..b04ed2eb9 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -22,8 +22,8 @@ profile xfce-panel @{exec_path} { ptrace (read) peer=xfce-terminal, - dbus (bind) bus=session name=org.xfce.Panel, - dbus (bind) bus=session name=org.kde.StatusNotifierWatcher, + #aa:dbus own bus=session name=org.xfce.Panel + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 4f3199a9e..91be9eede 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -16,8 +16,8 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - dbus (bind) bus=session name=org.xfce.PowerManager, - dbus (bind) bus=session name=org.freedesktop.PowerManagement, + #aa:dbus own bus=session name=org.xfce.PowerManager + #aa:dbus own bus=session name=org.freedesktop.PowerManagement @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 911cc1b9f..2c0f13bc1 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -16,7 +16,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include include - dbus (bind) bus=session name=org.xfce.ScreenSaver, + #aa:dbus own bus=session name=org.xfce.ScreenSaver @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 6db8277d7..beddcce1f 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -20,7 +20,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, - dbus (bind) bus=session name=org.xfce.SessionManager, + #aa:dbus own bus=session name=org.xfce.SessionManager @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 46a17ca7f..5250814de 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -21,7 +21,7 @@ profile xfce-terminal @{exec_path} { signal (send), - dbus (bind) bus=session name=org.xfce.Terminal5, + #aa:dbus own bus=session name=org.xfce.Terminal5 @{exec_path} mr, @@ -35,7 +35,7 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{bin}/vim{,.basic} rPUx, + @{editor_path} rPUx, /usr/share/ r, /usr/share/desktop-base/profiles/xdg-config/ r, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index de82191a7..9cd273544 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -13,7 +13,7 @@ profile xfconfd @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.Xfconf, + #aa:dbus own bus=session name=org.xfce.Xfconf @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ed7d18ddc..05705332d 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfdesktop profile xfdesktop @{exec_path} { include - include include include include @@ -18,7 +17,7 @@ profile xfdesktop @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.xfdesktop, + #aa:dbus own bus=session name=org.xfce.xfdesktop @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index b2f783390..22db3f80d 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -16,7 +16,7 @@ profile xfsettingsd @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.SettingsDaemon, + #aa:dbus own bus=session name=org.xfce.SettingsDaemon @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 7a2b4530f..469fb24a0 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -62,7 +62,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, - deny @{lib}/python3/dist-packages/blueman/__pycache__/** w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 99cdbc996..6424ebcc4 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -30,8 +30,6 @@ profile system-config-printer-applet @{exec_path} { /dev/tty rw, - deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w, - include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 1e0d75fd0..003770008 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -55,7 +55,6 @@ profile xarchiver @{exec_path} { /home/ r, #owner @{HOME}/ r, #owner @{HOME}/** rw, - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r,